IBM QRadar

 View Only

Grafana-AQL integration for QRadar SIEM

By Prince Prakash posted Fri December 22, 2023 01:44 PM

  

Our SOC analysts use centralised Grafana dashboard to monitor wide variety of data sets. For example, a dashboard that monitors a company’s internal user behavior or a dashboard to monitor system health or even a dashboard to monitor an entire organization’s energy footprint. Over here on the QRadar SIEM team, we live and breath most of our days in the cybersecurity space; specifically, around TDIR practices. So you could say our focus has traditionally been around TDIR dashboards. However, wouldn't it be nice to consolidate data from different vendor devices, across different business functions, and be able to monitor it in one place?

Introducing the Grafana-AQL integration for QRadar SIEM! 

Today, I’m excited to provide a sneak peak into a very exciting addition to QRadar SIEM’s functionality that is estimated for release later this year. Our QRadar SIEM customers will soon be able to connect QRadar SIEM to their existing Grafana platform enabling them to take advantage of Grafana’s powerful visualisation tooling for monitoring a wide variety of data and use cases - including (but not limited to) the 3,000+ security use cases QRadar SIEM covers.

This not only opens the doors for our customer’s creativity to go beyond visualizations for traditional security use cases, but it also allows our customers to use the high fidelity alert information from QRadar SIEM as a powerful piece of data within the greater general governance, risk, and compliance (GRC) perspective. Not to mention - our users can now take advantage of the many Grafana dashboards already built specifically for threat detection and analysis available within the Grafana community.

What is Grafana?

Grafana is an open-source visualization platform from Grafana Labs that turns any type of data, including application telemetry for observability, into insightful and easy-to-use dashboards … and did I mention they’re also just beautiful?

How will this work?

Once this capability is generally available, QRadar SIEM customers will be able to download the plugin for QRadar SIEM from the Grafana Plugin Marketplace. Customer can then securely connect to their QRadar SIEM environment using Ip address, port, SSL certificate and authorised service token.

Once the plugin is securely connected to a user’s QRadar SIEM environment, they can build their own dashboard by using AQL query language to pull different data into the visualisation platform. Out of the box, our team will provide a few built-in dashboards included in the plugin so customers can get started right away.

The plugin will support all events and flow based metrics in QRadar SIEM. Really, this means the sky is the limit when it comes to visualization of your log data, network data, and other key data from tools such as a vulnerability scanner. Users will be able to create their own beautiful visualizations ranging from pie charts to time series graphs to heat maps to geo-mapping charts … and the list goes on.

Here is a screen grab from an early iteration of a planned ootb dashboard included in our plugin. While it’s not the final software, you can see it’s a dashboard illustrating basic QRadar SIEM datasets such as Top Blocked Source IP, Top Blocked Destination Ports, Top Permitted Destination Ports, Top Users in Environment by Log Activity, Top Event Categories and Bottom Event Categories. 

How can I get this plugin? 

The plugin will be free to download from Grafana Plugin Marketplace and will be available to all QRadar SIEM customers who would like to take advantage of it. 

Will it work with Grafana community edition?

Yes, this plugin will work with Grafana community edition. Grafana offers, what they call, an “(actually useful) free forever plan” available to users. For more information on what is offered within the free version, checkout Grafana’s pricing page.

When will this be available?

The Plugin will be generally available in Q1’24.

2 comments
67 views

Permalink

Comments

Thu October 31, 2024 11:12 AM

Hi Luciano, 

Thanks for the question. Below are things you can try:

  • Most likely the Grafana data source is using UTC START / STOP values in the AQL query, but the QRadar instance is in a different time zone. I would suggest use plugin v1.1 and configure the plugin timezone data source setting to match the QRadar instance.
  •  Check plugin user docs, as there is a specific format for AQL query START / STOP values. The user docs also indicate specific AQL patterns / syntax supported by the plugin, so please cross check the custom AQL with those points as well.If it still doesn't work, I would recommend reaching out to IBM support and get help.

Thanks,

Prince

Thu October 31, 2024 10:23 AM

Hello. 

I have been trying to make some custom AQL queries in Grafana to my IBM QRADAR Siem. But the query results are blank. 
Also, I have tested the integrations, and I can see the default IBM QRADAR SIEM dashboards in my Grafana working Properly. 

Do you know if there is any missconfiguration that i must check?

Thanks!

Regards,