IBM Support

Adding Pulse Dashboards via a QRadar App

How To


Summary

With Pulse being QRadar's new dashboarding platform, we suggest that 3rd party apps create dashboards in pulse rather than in the dashboard tab. There are no APIs to introduce a new dashboard but we have a method using reference sets to push the search and configuration of a new dashboard into pulse.

Steps

How to push one or more dashboards into a reference table named: pulse_imports

  1. Create one or more dashboards that you want to add to a QRadar content extension. Export them in Pulse → Export and place all the json files under a common directory. i.e. A dashboards directory on you local computer. The path to this directory is needed for the putrefdata.py script. The dashboard "Set As Default" setting is not ignored when these dashboards are extracted from the content extension.
  2. Make sure that the pulse_imports reference table on the QRadar console host is empty or use the -c option when using the python script. Any of the following methods can be used to clear the pusle_imports reference table:
    1. ssh into the QRadar console and run the following command: /opt/qradar/bin/ReferenceDataUtil.sh list pulse_imports and verify that Failed to locate Reference Data Collection with name pulse_imports is returned.
    2. Go to REST-API page https://<console_address>/api_doc and run GET - /reference_data/tables and verify that a [] is returned.
  3. Get the putrefdata.py (and its dependencies) from this package. Follow the instructions from the README.md (you must have already logged into the QRadar console with a user that has admin user role).
  4. Run the command from a command prompt (Windows):
    putrefdata.py -u admin -d <locationOfOneOrMoreDashboards> [-q <console_address>] [-p <console_password>]
    The -c option of the script clears the pulse_imports reference table before inserting the new dashboards into the reference table. To verify that the dashboard was properly inserted into the reference data table, use: /opt/qradar/bin/ReferenceDataUtil.sh list pulse_imports

    [root@vmibm7001 ~]# /opt/qradar/bin/ReferenceDataUtil.sh list pulse_imports
    Arg: list
    Arg: pulse_imports
    ReferenceDataCacheMapOfMaps{id=23, namespace=Shared, name=pulse_imports, collectionType=MAPOFMAPS, elementType=ALN, createdTime=2018-09-12 17:09:06, timeoutType=UNKNOWN, onElementExpiry=LOG_EACH}

     
  5. Add the reference table to the content to export. The referencedata content-type should be used when running the contentManagement.pl command line export or in the file containing all the content to be exported. For example, if you needed to export only the pulse content then the command is:
    /opt/qradar/bin/contentManagement.pl --action export -c referencedata -i <id> 
    (where <id> is obtained from the ReferenceDataUtil.sh output shown above)
  6. Export content and publish to App. Exchange. Add that the content extension contains Pulse Dashboard(s) in the description since this will not be obvious from the content summary. Also ensure you add instructions on how to import your dashboards into pulse in your extension documentation (see below).

Importing

  • Content extension are uploaded  from Admin -> Extension Management by a user with admin user role.
  • The admin user can decide to synchronize the templates or not. To synchronize, go to the Admin -> Pulse -> Pulse - Dashboard to synchronize with the latest templates found in the pulse_imports reference table. Here the admin is presented with a list of new, existing, or updated dashboards. Select Synchronize to update the Pulse dashboard templates.
  • Non admin users must go to the Pulse tab and Switch to Dashboard -> New Dashboard -> Templates, to add/update these templates into their local dashboard work space, They can select the dashboards they wish to add or update.

Updating a existing content extension

  • Pulse uses UUIDs to uniquely identify its dashboards and dashboard items. When updating a dashboard that was previously a part of a published content extension, make sure the UUID of the dashboard is the same in both content extensions (original and updated version)
  • When a user uploads the updated version of the content extension and has selected the "Replace existing items" at installation time, Pulse will detect this as an update.
  • When the admin user goes to the Admin → Pulse Dashboard icon and selects it, the Pulse dashboard template now appears as an update. 
  • When a user then go to the Pulse Switch to Dashboard → New Dashboard → Templates dialog, the newly imported dashboard template shows an update. When the update button is selected, users have the following options: "Create Copy", "Overwrite", or "Cancel". If "Create Copy" is selected the a new dashboard is created for that user. The original name is appended with a timestamp. If "Overwrite" is selected the original dashboard is overwritten.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3"}]

Document Information

Modified date:
28 January 2021

UID

ibm16409530