Following the footsteps of our previous contribution 🛠 NHSuite for QRadar 🛠 — a Python tool that simplified the management of Network Hierarchies — I’ve continued my commitment to sharing useful utilities with the community.
After facing another limitation often encountered when working with QRadar Pulse dashboards. And once again, rather than keep the fix private, I've decided to publish a new script for everyone’s benefit.
Introducing: PulseQueryViewer 🎉
Why PulseQueryViewer?
In today’s SOC environments, dashboards are more than pretty charts — they’re the pulse of the security monitoring lifecycle. Analysts rely on them to visualize trends, define thresholds, or use drill down to do dynamic investigations.
But here’s the catch: while QRadar Pulse makes it easy to build powerful dashboards from widgets and AQL queries, documenting them is another story.
Export a dashboard and you’ll get… JSON...
Useful for a machine, but not exactly analyst-friendly.
We’ve seen this pain point across multiple deployments:
-
📜 Documentation (especially for SOC audit/compliance) when exporting Pulse dashboards.
-
🤔 Analysts unsure which AQL query sits behind each widget.
-
🔄 No easy way to reuse or share queries in reports, audits, or CI/CD pipelines.
That’s why we built PulseQueryViewer — a simple but powerful Python script to bring clarity to Pulse dashboard exports.
PulseQueryViewer for QRadar: A brief Overview
Usage
👉 Usage : PulseQueryViewer.py --help
📂 Input File(s): Using -f or --file parameter (mandatory)
📤 Export to CSV: Using -c or --csv parameter
📜 Export to Markdown: Using -m or --markdown parameter
ℹ️ Version Information: Using --version parameter
Exporting Your Pulse Dashboard JSON
Before using PulseQueryViewer, you first need the JSON export of your QRadar Pulse dashboards.
Once your dashboard is selected in Pulse, exporting it is simple:
-
Go to your QRadar console and open the Pulse App.
-
Select the dashboard you want to document or analyze after (example : Event and Flow Metrics in the screen capture)
-
In the upper-right menu, click on the Export button → Export with default parameters values
-
Save the file locally (e.g., Event and flow metrics.json).
This JSON file contains all the widgets, AQL queries, and configuration data of the dashboard.
👉 You can repeat this process for every dashboard you want to document, exporting as many JSON files as you need. PulseQueryViewer will then parse them individually or even combine them if you specify multiple files at once.
Core functionalities
- Streamlined Dashboard Documentation:
The tool parses JSON exports from QRadar Pulse dashboards and transforms them into human-readable formats. Analysts can choose between color-coded console output, CSV tables, or Markdown documentation — making it easier to analyze, share, or archive queries related to the Pulse dashboard.
- Console Output:
👉 Using -f or --file parameter
Example : PulseQueryViewer.py -f dashboard1.json
PulseQueryViewer parses the JSON and displays each widget in a clear, color-coded format with a direct output on the console :
🟡 Yellow : Pulse Dashboard name on QRadar Pulse
Example : Dashboard: Event and flow metrics
⚪ Grey : Widget Number (identifies the position/order of the widget in the dashboard JSON)
Example : Widget Number: 1
🔴 Red : Widget Name (The label/title of the widget as defined in the Pulse dashboard)
Example : Name: Top 10 log sources
🟢 Green : AQL Query (The full Ariel Query Language (AQL) statement associated with the widget)
Example :
Query: SELECT logsourcename(logsourceid) as 'MY Log Sources', LONG(SUM("SUM_eventcount")/(2*60*60)) event_rate FROM GLOBALVIEW('Top Log Sources','NORMAL') WHERE logSourceId not in (62,63,64,65,66,67,68,69) GROUP BY logsourceid ORDER BY event_rate DESC LIMIT 10 LAST 2 HOURS
PulseQueryViewer is not limited to a single dashboard export. You can specify several JSON files in the same command line, and the tool will parse them sequentially. This is particularly useful if you need to generate consolidated documentation or compare multiple dashboards at once.
👉 Example:
PulseQueryViewer.py -f dashboard1.json dashboard2.json dashboard3.json
- CSV Export:
👉 Using -c or --csv parameter
Example : PulseQueryViewer.py -f dashboard1.json -c myexportedfile.csv
On this example, each widget is exported into a clear tabular structure, easily opened in Numbers, Excel, LibreOffice or any tool.
Here is the result (example) : cat PulseFirewallDB.csv
Here is the result On Excel (example):
PulseQueryViewer is not limited to a single dashboard export. You can specify several JSON files in the same command line, and the tool will parse them sequentially. This is particularly useful if you need to generate consolidated documentation or compare multiple dashboards at once.
👉 Example:
PulseQueryViewer.py dashboard1.json dashboard2.json -c PulseConsolidedDocumentation.csv
Sample of two Pulse Dashboard output on Excel :
- Markdown Export:
👉 Using -m or --markdown parameter
Example : PulseQueryViewer.py -f dashboard1.json -m myexportedfmarkdownfile.md
Output of the md file (example) :
Markdown output is structured for easy integration into documentation systems (Confluence, Gitlab, Wikis), example here on Gitlab :
- Error Management:
No tool is complete without robust error handling ⚠️.
PulseQueryViewer validates inputs and reports issues clearly:
-
🧾 Invalid JSON → flagged and logged
-
❌ Missing widget/query → highlighted
-
🔐 Export issues (permissions, disk errors) → written into PulseQueryViewer.log
This ensures analysts always get trustworthy outputs, even in complex environments.
- Using the
PulseQueryViewer.log file generated
- Version Information:
👉 Using --version parameter
Displays script version info.
👉 With these options, PulseQueryViewerSuite transforms Pulse dashboards into readable, exportable, and auditable documentation, ready to integrate with CI/CD pipelines or compliance workflows.
GitHub Link
Here is the link of the full project - contribution are welcome -
👉 Github Link : https://github.com/zoldax/PulseQueryViewer
Environment and prerequisite
- 🌐 Input: JSON export of a QRadar Pulse dashboard
- 🐍 Python: 3.6+
- 📦 Dependencies:
json, argparse, colorama, csv
Runs on a standard Linux machine or directly from your workstation — no changes needed on QRadar.
How do i start?
Wrapping Up
🔍 With PulseQueryViewer, Pulse Dashboards become readable outputs, structured files, and shareable documentation.
It’s part of a larger vision: embedding CI/CD principles into SIEM operations, ensuring dashboards and documentation evolve together, securely and consistently in a universal readable format.
For QRadar users — with audit/compliance requirement on documentation— this means improved robustness, auditability, and operational efficiency.
For analysts, it simply means less time wrestling with JSON and more time doing what matters: defending the enterprise.
👉 GitHub link (contributions welcome!)
Because the beat of a SOC isn’t only in flashy widgets… it’s in sharing queries and docs the whole team can dance to.🥁.
Cheers 🍻,
zoldax