Analyst Workflow App for QRadar SIEM – Feature Enhancements

We are pleased to announce the latest updates to the Analyst Workflow (AWF) App for QRadar SIEM. These enhancements focus on improving the search experience, boosting analyst productivity, and providing more administrative control over search configurations. Below is a summary of the new features and their benefits.

Custom Preset Integration on Search Page

Custom presets will enhance search capabilities across all users in large organizations. By allowing administrators to standardize and create preset columns, these can be shared across users to ensure that the most relevant search criteria are applied to analysts' queries. This way, important data and custom properties will be set as default columns, making analysis easier. These standardized presets will automatically be inherited by all users within the organization, streamlining their work and ensuring consistency.

Prior to this update, users in large organizations faced the challenge of manually configuring search columns, leading to:

1. Inconsistent search outputs across users and teams
2. Time-consuming and repetitive tasks
3. Lack of centralized control for search behavior
4. Increased potential for error due to inconsistent settings

The Custom Preset feature solves these problems by enabling organizations to define, manage, and standardize search configurations.

1. Personalized Search Results – Users can select columns relevant to their workflows.
2. Enhanced Productivity – Quick access to frequently used presets saves time.
3. Seamless Admin Control – Admins can centrally manage and share presets across teams.
4. Data Consistency – Persistent configuration ensures uniformity in search results.

Feature Details:

1. Users can create custom column presets, which will be shared across all other users.
2. Shared presets are reflected in the recipient's view and are updated globally.
3. Admins can allow the creation of presets as defaults, making all columns part of the default search query
4. Admins have the ability to create, update, share, and remove presets.
5. Users can create and manage up to 25 custom presets.

Fig 1. Custom Preset screen inside Search Tab 

Fig 2. Assign a name to preset, select users to share to, choose whether to set it as default

Fig 3. Your preset gets created and you have the ability to edit or delete the preset

Fig 4. Preset deletion screen

Increased Log Source Selection in Visual Builder

Users can now search across all log sources by name in the Visual Builder on search page, eliminating the previous 1,000 log source limitation. Earlier the search scope was restricted to the most recent 1,000 log sources. Users also faced issues with incomplete and outdated log data hindered investigations and manual updates and lack of full visibility slowed down response times.

This update brings in:

1. Expanded Search Scope – Full access to all log sources improves flexibility.
2. Up-to-Date Data –  AWF app keep log source up to date for smooth search
3. Efficient Search –  A full list of log sources improves search logs capabilities by log source name

Try it out:

1. Search page > Visual Builder tab allows selection of log source by name.
2. Users can browse and select from log sources in the identified group.
3. A maximum of 4,000 log sources is displayed in the selection list.
4. Users can search for any log source by entering the log source name.

Theme Integration & UI Enhancements

We have introduced the following UI improvements to enhance usability and align with QRadar’s theme preferences:

1. Theme Integration (Light, Dark, QRadar Default) – The AWF app now automatically syncs with the theme selected in QRadar.
2. User Preference Options – Users can now manually select their preferred theme including a new Light Mode option.

Fig 5. Theme selection within the hamburger menu in Analyst Workflow

OOTB Availability

The Analyst Workflow (AWF) App is now included as an Out-of-the-Box (OOTB) application for QRadar SIEM, simplifying deployment and accessibility for all users.

Conclusion

These enhancements reflect our continued commitment to improving the day-to-day experience of analysts and administrators using QRadar SIEM. We look forward to your feedback and hope these updates streamline your operations, reduce manual effort, and increase the consistency and efficiency of threat investigations.