Enhancing the right-click menu for event and flow columns

You can add more actions to the right-click options that are available on the columns in the Log Activity table or the Network Activity table. For example, you can add an option to view more information about the source IP or destination IP.

Restriction: The right-click feature is not available on fields in the Event Information window.

You can pass any data that is in the event or flow to the URL or script.

Procedure

  1. Using SSH, log in to the QRadar® Console appliance as the root user.
  2. Go to the /opt/qradar/conf directory and create a file that is named arielRightClick.properties.
  3. Edit the /opt/qradar/conf/arielRightClick.properties file. Use the following table to specify the parameters that determine the options for the right-click menu.
    Table 1. Description of the arielRightClick.properties file parameters
    Parameter Requirement Description Example
    pluginActions Required Indicates either a URL or script action.  
    arielProperty Required Specifies the column, or Ariel field name, for which the right-click menu is enabled. sourceIP

    sourcePort

    destinationIP

    qid
    text Required Specifies the text that is displayed on the right-click menu. Google search
    useFormattedValue

    Optional

    		 Specifies whether formatted values are passed to the script.

    Set to true to ensure that the formatted value for attributes, such as username and payload, are passed. Formatted values are easier for administrators to read than unformatted values.

    		 If the parameter is set to true for the event name (QID) property, the event name of the QID is passed to the script.

    If the parameter is set to false, the raw, unformatted QID value is passed to the script.
    url Required to access a URL Specifies the URL, which opens in a new window, and the parameters to pass to the URL.

    Use the format: $Ariel_Field Name$

    		 
    sourceIPwebUrlAction.url=
http://www.mywebsite.com?
q=$sourceIP$
    command Required if the action is a command Specifies the absolute path of the command or script file. 
    destinationPortScript
Action.command=/bin/echo
    arguments Required if the action is a command Specifies the data to pass to the script.

    Use the following format: $Ariel_Field Name$

    		 
    destinationPortScript
Action.arguments=$qid$

    For each of the key names that are specified in the pluginActions list, define the action by using a key with the format key name, property.

  4. Save and close the file.
  5. Log in to the QRadar user interface.
  6. On the navigation menu ( Navigation menu icon ), click Admin.
  7. Click Advanced > Restart Web Server.

Example

The following example shows how to add Test URL as a right-click option for source IP addresses.

pluginActions=sourceIPwebUrlAction

sourceIPwebUrlAction.arielProperty=sourceIP
sourceIPwebUrlAction.text=Test URL
sourceIPwebUrlAction.url=http://www.mywebsite.com?q=$sourceIP$

The following example shows how to enable script action for destination ports.

pluginActions=destinationPortScriptAction

destinationPortScriptAction.arielProperty=destinationPort
destinationPortScriptAction.text=Test Unformatted Command
destinationPortScriptAction.useFormattedValue=false
destinationPortScriptAction.command=/bin/echo
destinationPortScriptAction.arguments=$qid$

The following example shows adding several parameters to a URL or a scripting action.

pluginActions=qidwebUrlAction,sourcePortScriptAction

qidwebUrlAction.arielProperty=qid,device,eventCount
qidwebUrlAction.text=Search on Google
qidwebUrlAction.url=http://www.google.com?q=$qid$-$device$-$eventCount$

sourcePortScriptAction.arielProperty=sourcePort
sourcePortScriptAction.text=Port Unformatted Command
sourcePortScriptAction.useFormattedValue=true
sourcePortScriptAction.command=/bin/echo
sourcePortScriptAction.arguments=$qid$-$sourcePort$-$device$-$CONTEXT$