IBM Support

QRadar: Creating a dashboard to review search history by user and submission source

How To


Summary

How to create a dashboard to show number of searches submitted by each user and the method used to submit the search (API, UI, or Reporting).

Objective

Provide a dashboard that gives a quick view of the number of searches run by each user in the environment.

In the GUI, searches initiated from both the Log Activity and Network Activity tabs can be seen in Manage Search Results. However, searches submitted through the API are not visible in this view.
For information about searches initiated through the API, users need to either search the audit logging. This review can be done either in the CLI, by reviewing the /var/log/audit/audit.log* files, or in the GUI, by filtering on "Search Executed" events under the SIM Audit log source.
This technote shows how to create an AQL search and dashboard to show the amount of searches each user submitted grouped by the method of submitting the searches.

Steps

AQL query and reating the dashboard

The AQL query for this search is as follows:
Select "Ariel Username" AS 'User', "Ariel Source" AS 'Source', count(*) AS 'Total' from events where qid='28250254' group by User,Source last 15 MINUTES
When run in log activity the output looks like the following:
Log Activity Search

Creating the dashboard:

  1. To create a dashboard from this AQL Use the following steps: Adding search-based dashboard items to the Add Items list
  2. Configure the dashboard with the steps documented in Configuring dashboard chart types
    1. Under value to graph choose COUNT
    2. Under chart type, choose Time Series
    3. Check Capture Time Series Data
    4. Press save.
Note: As with all dashboards that use Time Series Data, data must be accumulated before it displays in the dashboard.

Interpreting the graph data

The graph looks similar to the following:
Dashboard Graph
This graph can be useful to spot and large increases in searching frequency when you are investigating searching slowness.
A spike in the number of searches from a particular user (or API token) corresponding with the start of poor search performance can be a useful starting point. You can then review that user's searches to identify any problems with search efficiency or volume.

Note: For some apps, like QDI, it is expected behavior for the app to search frequently by using the API.

Additional Information

For more information about troubleshooting slow searches, see QRadar Performance and what causes slow searches.
For more information about preventing resource-intensive searches, see Restrictions to prevent resource-intensive searches.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtIAAQ","label":"Dashboard"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
27 September 2023

UID

ibm16998739