The Dynamic Search data source uses the IBM®
QRadar® dynamic search API to
search for data that involves aggregated functions such as COUNT, SUM, MAX, and AVG. For example,
you can count the number of asset IDs per asset hostname by using the
COUNT_PER function.
Your administrator must provide a dynamic search in the form of a JSON script.
The Dynamic Search option requires QRadar
7.4.1.2020.3.2.20201112005343 (Fix Pack 2) or later.
If the QRadar version is
7.4.3 or later and you are an administrator, click the Dynamic search query
builder link so that you can build a query and save it as a JSON script to use as a
widget query.
About this task
You can build your query on the following data sources:
- Assets
- Offenses
- Vulninstances
You can add a field without a function as a simple field, or you can add a field with a function
as a complex field to build columns. You can also add conditions to filter your data.
- Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets,
with details about each widget.
- Click Create new widget.
- On the New Dashboard Item page, enter a name and a description for
the widget.
- Select Dynamic Search from the data source list in the
Query section, and enter a JSON query.
- Optional: If the QRadar version is 7.4.3 or later
and you are an administrator, click the Dynamic search query builder link to
build a query.
- Select a Data Source.
- Complete the Available Columns and Available
Filters sections.
- To add a name, description, range of the search, retention period, or search type to
your query, enable one or more Extra Search Properties.
- To copy your JSON script, click Generate
JSON.
Your results appear in the JSON generated by your
query section. Click Copy to Clipboard to copy your JSON
script.
- In the New Dashboard Item page, paste the copied JSON
script.
- Optional: Add parameters to the dynamic search query.
- Insert existing parameters in the query. Click the Insert
Parameter icon, and then click Insert for each relevant
parameter.
Important: In dynamic search queries, parameters must be preceded with a dollar sign
(for example, ${NumberOfRules}
).
- To change the default value of the parameter, click the View
Parameters icon, and click Save after you set the default
value.
When you change the default value for a parameter, you're changing the value everywhere
the parameter is used in your workspace, except in expanded or pinned dashboards and widgets. If you
don't set the value as the default value, the updated change applies only to the current session.
However, if you set the value as the default, the current session value also uses that value.
The predefined SYSTEM:accountId
parameter returns the account ID of the user who is logged in. System parameters are read only and
you cannot change the default value.
- To add a parameter to your workspace, click Add, give the
parameter a name and default value, if needed, and then click Save.
After you add parameters to a widget on a dashboard for the first time, the
Parameters card appears on the dashboard. If you remove parameters from the
widget, and no other widget in that dashboard uses the parameter, the
Parameters card disappears.
- Click Run Query.
When you first create the widget, you can't configure the charts when no data results
are returned. Try making the criteria in the fields less strict and run the query
again.
-
Create a dashboard chart in the Views section.
Because you can create multiple views and charts from the same query, give the view a
unique name. By default, the chart's title and status on the title bar are displayed; to hide them,
click the More options icon and switch the settings to
Off.
-
Select a chart type and configure the relevant properties. For use cases to help you decide
which chart type to use, see Widget chart types.
-
Preview how the chart looks and then click Save.
Tip: The labels for the chart come from the queries that are used. If they are
unintelligible in the preview, edit the labels in the View section.