IBM Support

QRadar: How to use the Assistant application to manage applications

How To


Summary

As more QRadar functionality is ported to applications, administrators need to rely on the Assistant application to install, upgrade, and managing all applications.

Objective

QRadar® administrators need as a best practice to use the Assistant application for all their applications. The Assistant app allows administrators to manage applications and content extension inventory, view apps and content extension recommendations, follow the QRadar® Twitter® feed, and get links to useful information.
This article explains how administrators can install applications, upgrade applications, start, stop, delete, and manage application instances. The assistant application also informs administrators how much memory they are using with each application to manage memory resources.

image 4045
Note: The advance menu options to manage applications and tenants is not available until one application that supports multi tenancy is installed, such as User Behavior Analytics for QRadar®. This does not interfere with administrators from managing their applications. Administrators can still start, stop, and delete applications without the advanced menu options.

image 4890

Steps

Getting started with the Assistant application

Getting an API Key and Password
Before you begin
Administrators need to create an API Key and API Password from the IBM® X-Force® Exchange. Although every administrator can receive and account, it is important to retain that the initial API Key and Password in case the Assistant application needs to be reinstalled. Regenerating API keys can break the integration between X-Force Exchange and the Assistant application. 
  1. Log in to the IBM® X-Force® Exchange.
  2. Click Profile icon.
    image 4182
  3. Click Settings.
  4. Click API Access.
  5. Click Generate.
    image 4208
  6. Copy the key and password.
  7. Click the Assistant application icon.
    image 3166
Setting up the Assistant Application for the First time
Before you begin
Security tokens need to be created for most of applications from Authorized Services. It is advised to have one available to configure the Assistant application. You also need the API Key and password created in prior step #6.
 
  1. Click Settings.
  2. Create a Security token for the application from the Admin tab > Authorized Services.
  3. Add the Security token to settings.
    image 4195
  4. Click API Authentications tab. 
  5. Add the API Key and Password.

    image 4187
  6. Click Proxy tab.
  7. Optional: Add all information required to configure your Proxy server settings.

    image 4194
  8. Click Legal and read the agreement to continue.
  9. Click Save.

Installing Applications

The Assistant simplifies installing applications. Administrators need to locate the application to install from the IBM® X-Force® Exchange and follow the procedure. Administrators can queue up to five applications to install at the same time. The installations are performed sequentially.
  1. From the Dashboard, click the Shield icon.
    image 3166
  2. Click Applications.
  3. In Search, type the application to install.
    image 3167
  4. Click the Application.
  5. Click See Full Description.

    image 3225
  6. Optional: If you are installing on QRadar on Cloud (QRoC), Under Additional Information, look for QRadar on Cloud Ready.

    image 4196
  7. Click Install.
     
Results
To display the green circle icon, hover over the blue circle.  Hovering over the green circle icon displays the installation status.
image 4205

Upgrading Applications

Applications are continually being updated to add new features or add enhancements to resolve issues in an application. When administrators click Applications on the home page, they are directed to the Updated section, which lists Installed applications and Updates. Any new version of an application is displayed. Administrators can queue up to five applications to update at the same time. The updates install sequentially.
  1. Click Applications.
    image 4073
  2. Under Updates Available look for an application with the label Update Available.
    image 4087
  3. Click Update.
  4. Click Agree to the Disclaimer.
    image 4088
  5. Hovering over the green circle icon displays status. To display the green circle icon, hover over the blue circle. 
    image 4089
  6. When the application is successfully installed, the status is displayed when you hover over the green shield icon.
Note: Administrators can also check for updates from the List View. If the application fails to install or upgrade, the circle icon with turn red and the List View displays an error. The total memory used for each application is displayed in the list view screen.
image 4069

Uninstall Applications

Administrators might choose to uninstall an application extension for the following conditions.

  • The application was not what the administrator wanted.
  • The application requires too many resources that need to be used for another applications.
  • The application might not be working as intended and needs to be reinstalled.
Note: If application instances are installed, they need to be deleted first before the application extension can be uninstalled.
To uninstall an application extension:
 
  1. Click Applications.
    image 4073
  2. Click Manage to open List View.
    image 4146    image 4193
  3. Scroll down to the application to be stopped.
  4.  In the Options column, click the ellipsis (...) icon.
  5. Click Uninstall Extension.
    image 4115
Results
The Extension Management window is opened to uninstall the application extension.

Starting Applications

Administrators might need to start an application under these circumstances.

  • An application due to a restriction in resources needed to stop an application, but now needs to be restarted.
  • An application is in an Error state after the system is restarted after a patch.
image 4094
To Start an application:
  1. Click Applications.
    image 4145
  2. Click Manage to open List View.
    image 4146    image 4193
  3. Scroll down to the application in an Error state.
    image 4101
    Note: It is highlighted with a red bar.
  4.  In the Options column, click the ellipsis (...) icon.
  5. Click Start All Instances.
Results
The red bar changes to blue while the application is starting.

Stopping Applications

Administrators due to another application that use a high number of memory resources, might need to stop an application to give more memory resources to another application.

To stop an instance:

  1. Click Applications.
    image 4145
  2. Click Manage to open List View.
    image 4146    image 4193
  3. Scroll down to the application to be stopped.
  4.  In the Options column, click the ellipsis (...) icon.
  5. Click Stop All Instances.
    image 4107
Results
Status displays the application is STOPPED.

Creating Multi -Tenant Instances

Before you begin

  • Instances are only supported on QRadar 7.4.0 Patch 1 and greater.
  • Instances can be created only with applications that support multi-tenancy. Check the IBM® X-Force® Exchange to confirm the application you are installing supports multi-tenancy.
  • Tenants must be configured before these steps can be taken.
  • Instance requirements must be configured.
  • The extension allows only one instance to be created: Apps like Pulse, Log Source Management App, and Assistant that are for only administrative purposes can have one instance.
  • Non-Admin users only can update or manage Applications that are assigned to them.
What are Instances?
 An instance is a total stand-alone version of the application extension that you downloaded and installed. It allows splitting of data per a security profile to make sure users can see what they are assigned.
 
Why would I want to create multiple instances?
On installation of an extension, there is an option to create the application definitions only without creating an instance of an extension. This functionality is added to give administrators more control over the instances created on your system.
  • Instance Requirements
    1. Create a Tenant.
    2. Log in to the QRadar Console UI as an admin user.
    3. Click Admin tab.
    4. Create a Security Profile.
      1. Click Security Profiles.
      2. Click New.
      3. Add a Security Profile Name and Description.
      4. Select a Permission Precedence.
      5. Add Network Assignments.
      6. Add Log Sources A.
      7. Click Save.
    5. Optional: Create a Domain.
    6. Create User Role.
      1. Click User Roles.
      2. Click New.
      3. Create a User Role for the Tenant.
      4. Select all Tasks for the User Role.
      5. Add Dashboards.
      6. Click Save.
    7. Create a user.
      1. Click Users.
      2. Click Add.
      3. Create a User Name > User Description > E-Mail.
      4. Under Authentication add a password.
      5. Under Permissions add a User Role for the Tenant created in Step #6.
      6. Under Security Profile, select the Security Profile created in Step #4.
      7. Click Save.

        Deploy Changes
        results in services being restarted. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
    8. From the Admin tab, click Deploy Changes.
       
  • Creating the Instance
    1. Click the Assistant application shield icon.
      image 4130
    2. Click Applications.
      image 4073
    3. Click Manage to open List View.
      image 4146    image 4193
    4. Scroll down to the application you choose to add an instance.
    5.  In the Options column, click the ellipsis (...) icon.
    6. Click Create New Instance.
      image 4125
    7. Choose a Security Profile > Next.
      image 4128
    8. Choose a User Role > Next.
      image 4129
    9. Review the Summary.
    10. Click Confirm & Create.
  • Deleting Instances
    1. Click the Assistant application shield.
      image 4130
    2. Click Applications.
      image 4073
    3. Click Manage to open List View.
      image 4146    image 4193
    4. Scroll down to the application you choose to add an instance.
    5.  In the Options column, click the ellipsis (...) icon.
    6. Click Delete All Instances.
      image 4131
    7. Click Delete.
      Note: Administrators might need to re-create an Admin Instance for the application.
  • Viewing Instances
    1. Click the Assistant application shield.
      image 4130
    2. Click Applications.
      image 4073
    3. Click Manage to open List View
      image 4146    image 4193
    4. Scroll down to the application you choose to add an instance.
    5. Click the Application to view Instance Information.
      image 4142
    6.  In the Options column, click the ellipsis (...) icon.
    7. From here, administrators can Configure, Manage, Start, Stop, and Hide Instances.
      Note: If an administrator needs to allocate more resources for an application, they can stop an instance to give another instance more memory.

Troubleshooting the Assistant Application

Occasionally the menu or applications do not appear as expected in the Assistant application. In most instances, the browser is caching old data. If this is the issue, then you can resolve it by using one of these methods.
  • Clear your cache.
    1. Clear you browser cache.
    2. Close your browser.
    3. Restart your browser and log in to QRadar.
  • Log in to a QRadar session by using incognito mode with your browser.
If the Assistant application does not show in your dashboard, use one of these solutions to resolve your issue.
  • Use recon and the API to restart the Assistant application.
    1. Use SSH to log in to the Console as root user.
    2. Your applications can run either on the Console or App Host. Use SSH to connect to the App Host if your applications are not running on the console.
    3. To get the App-ID, type the command:
      image 4908
    4. On the navigation menu, click ( Navigation menu icon ) to open the menu.
    5. Click Interactive API for developers.
    6. Scroll to gui_app_framework and click to expand the menu.
    7. Expand applications, click application_id.
    8. Click POST.
    9. Scroll to Parameters.
    10. In the box for application_id, add the App-ID for the Assistant application.
    11. In the box for Status enter RUNNING.
      image 4930
    12. Click Try it Out.
      Results
        {    "installed_on": 1593784251390,    "application_state": {      "memory": 600,      "application_id": "1053",      "status": "STARTING"    },    "manifest": {      "description": "QRadar Assistant",      "areas": [        {          "description": "Assistant",          "text": "",          "id": "security_center",          "url": "/"
  • Use qappmanager to start the instance for QRadar versions 7.4.0 p1 or greater.
    Note: The qappmanager is added by an Auto Update.
    1. Use SSH to log in to the Console.
    2. Type the command:
        /opt/qradar/support/qappmanager
    3. Enter option #23.
    4. Enter the Security Profile for Admin.
      image 4932
    5. Enter the APP instance ID for the Assistant application to start the instance.
      Results
      The Assistant Application shield appears on the dashboard after the Assistant application starts.
If the troubleshooting procedures suggested do not work, open a case with IBM QRadar Support to help you resolve your issue.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbvAAC","label":"QRadar->Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 August 2021

UID

ibm16228732