Visualizing the average magnitude of an event on a geographic chart

In this example, you set the source and destination IP addresses, edit the colors that display on the scatter geo chart, and set the chart to auto rotate in the dashboard.

Before you begin

To ensure that the map renders properly in QRadar® Pulse, your browser must be connected to the internet.

Procedure

  1. Click Configure dashboard.

    The Configure dashboard screen displays a library of available widgets, with details about each widget.

  2. Click Create new widget.
  3. On the New Dashboard Item page, enter Magnitude of events as the name and provide a description.
  4. Select AQL as the data source, set the Refresh Time to every 5 minutes, and enter the following AQL query in the AQL Statement field:
    SELECT sourceip as 'Source IP',
    destinationip as 'Destination IP',
    AVG(magnitude) as 'Average Magnitude',
    count(*) as 'Number of Events', 
    GEO::LOOKUP(destinationip, 'geo_json') as destinationGeo,
    GEO::LOOKUP(sourceip, 'geo_json') as 'sourceGeo'
    from events
    group by 'Source IP'
  5. Set the Results Limit to 1000, and click Run Query.
  6. Configure the chart display. In the Views section of the page, enter Magnitude of events as the View Name and select Geographic Chart as the chart type.
  7. On the General tab, select sourceGeo in the Geographic Data field, and click the More options icon (More options icon).
    1. Leave the Axis Label as sourceGeo.
    2. Select sourceGeo as the Hover Text.
    3. Pick a round symbol, green color, and size 5 for the data point.
    4. Click the More options icon (More options icon) to minimize the selected row.
      Figure 1. Settings for sourceGeo data
      Settings for sourceGeo data
  8. Click Add Series, select destinationGeo, and repeat step 7. In step 7c, change the values to a diamond symbol, pink color, and size 8 for the data point.
    Figure 2. Settings for destinationGeo data
    Settings for destinationGeo data
  9. Select Globe (Orthographic) for the Projection.
  10. Set Show Legend to Yes, and pick the Vertical legend orientation.
  11. On the Thresholds tab, click Add Threshold Indicator. You can apply thresholds only if the AQL query contains numeric columns, such as Average Magnitude, Number of Events and count(*).
    1. Select a threshold indicator, and click the More options icon (More options icon).
    2. Select a column, add a threshold value, and then click Add Threshold.
    3. Change the option or use the default options. Add as many threshold values as you need.
    4. Optional: For the Point Color threshold, select a color scale mode to display on the dashboard item.
  12. Optional: Pick a scale mode to display for the Point Color threshold. The color scale mode displays under the legend on the dashboard item.
  13. On the Map tab, enable all of the options except for Display Grid.
  14. Pick colors for the lines, land, water, borders of the map. Choose whether to display the map grid or not.
  15. Under Viewport, configure the latitude, longitude, and scale for how the map displays in the dashboard item. When you're happy with the preview display, click Set latitude, longitude, and scale as seen in the preview.
  16. Click Save.
    Figure 3. Geographic chart that shows the magnitude of events
    Geographic chart that shows the magnitude of events
  17. Optional: Click the Settings icon (Settings icon for dashboard item) on the dashboard item, and toggle the Autorotate Globe switch.