IBM Security QRadar

​Hi All,

Here is my situation, Currently we are using Qradar on cloud (QROC)  and we have three data gateways which are managed by Third party.
Everyday as  part of health check, I run a log search in log activity tab and check and verify if we are receiving logs from all the three data gateways.

My query is how do I create a  dashboard where I would be able to see logs from all the 3 data gateways as soon as I login to the Qradar console.
Note: I have created a search in log activity tab for one data gateway and used that search in dashboard. but that's only displaying logs from one data gateway , I need to use all 3 data gateway IP addresses .host names in one search.

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------

Hi Asif,
What are the details of the search? Knowing this will help provide a better solution.
The search should be something like this
In Log Activity create a search with the filter as shown below with the IP of your DGs

Then Add the time range for the search (only searches with a Time specified can be added to the dashboard)
And Save the criteria. Make sure you check add to dashboardIN The Dashboard Tab
Add this search to the dashboard under add item > Log Activity > Event searches > Name of Search
You can also create three search ( one for each data gateway) and add them to the dashboard.

Alternatively have you considered installing the QRadar Deployment Intelligence APP  from the X-force Exchange for monitoring?
Regards.
Sree



------------------------------
SREE ANANTHASAYANAM
------------------------------

Original Message:
Sent: Tue June 25, 2019 06:54 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi All,

Here is my situation, Currently we are using Qradar on cloud (QROC)  and we have three data gateways which are managed by Third party.
Everyday as  part of health check, I run a log search in log activity tab and check and verify if we are receiving logs from all the three data gateways.

My query is how do I create a  dashboard where I would be able to see logs from all the 3 data gateways as soon as I login to the Qradar console.
Note: I have created a search in log activity tab for one data gateway and used that search in dashboard. but that's only displaying logs from one data gateway , I need to use all 3 data gateway IP addresses .host names in one search.

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------

​Hi Sree,

Thanks you so much for your assistance. Here are findings,
I created a single search for all the three data gateways and also ran the search where I can see events from all the 3 data gateways. However while saving the search, everything looks fine but the  check box which says "Include in my dashboard" is gray out.
When hover the mouse the message says ""Non group by searches can not be added to the dashboard"

What does this message mean and I have added this search to one of the available groups and have named the  search still the checkbox is not enabled for me.


------------------------------
Asif Siddiqui
------------------------------

Original Message:
Sent: Tue June 25, 2019 06:54 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi All,

Here is my situation, Currently we are using Qradar on cloud (QROC)  and we have three data gateways which are managed by Third party.
Everyday as  part of health check, I run a log search in log activity tab and check and verify if we are receiving logs from all the three data gateways.

My query is how do I create a  dashboard where I would be able to see logs from all the 3 data gateways as soon as I login to the Qradar console.
Note: I have created a search in log activity tab for one data gateway and used that search in dashboard. but that's only displaying logs from one data gateway , I need to use all 3 data gateway IP addresses .host names in one search.

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------

AFAIK, in order to "export a search to the dashboard", it must be aggregated (using Group By).
That is, I believe, why the checkbox is disabled. I really think you should install Pulse as well as take the full advantage of the AQL searches.
My2Cs.

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, GSIs Europe
IBM Security
------------------------------

Original Message:
Sent: Mon July 01, 2019 06:31 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi Sree,

Thanks you so much for your assistance. Here are findings,
I created a single search for all the three data gateways and also ran the search where I can see events from all the 3 data gateways. However while saving the search, everything looks fine but the  check box which says "Include in my dashboard" is gray out.
When hover the mouse the message says ""Non group by searches can not be added to the dashboard"

What does this message mean and I have added this search to one of the available groups and have named the  search still the checkbox is not enabled for me.


------------------------------
Asif Siddiqui

Original Message:
Sent: Tue June 25, 2019 06:54 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi All,

Here is my situation, Currently we are using Qradar on cloud (QROC)  and we have three data gateways which are managed by Third party.
Everyday as  part of health check, I run a log search in log activity tab and check and verify if we are receiving logs from all the three data gateways.

My query is how do I create a  dashboard where I would be able to see logs from all the 3 data gateways as soon as I login to the Qradar console.
Note: I have created a search in log activity tab for one data gateway and used that search in dashboard. but that's only displaying logs from one data gateway , I need to use all 3 data gateway IP addresses .host names in one search.

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------

Hi
As mentioned by Jean-Luc Labbe, the search needs to be aggregated.  In your specific example, use the drop down Display > Source IP to add the Group By value to the above search.
As mentioned, take some time exploring apps. They may provide additional features.
Regards.
Sree

------------------------------
SREE ANANTHASAYANAM
------------------------------

Original Message:
Sent: Mon July 01, 2019 06:31 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi Sree,

Thanks you so much for your assistance. Here are findings,
I created a single search for all the three data gateways and also ran the search where I can see events from all the 3 data gateways. However while saving the search, everything looks fine but the  check box which says "Include in my dashboard" is gray out.
When hover the mouse the message says ""Non group by searches can not be added to the dashboard"

What does this message mean and I have added this search to one of the available groups and have named the  search still the checkbox is not enabled for me.


------------------------------
Asif Siddiqui

Original Message:
Sent: Tue June 25, 2019 06:54 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi All,

Here is my situation, Currently we are using Qradar on cloud (QROC)  and we have three data gateways which are managed by Third party.
Everyday as  part of health check, I run a log search in log activity tab and check and verify if we are receiving logs from all the three data gateways.

My query is how do I create a  dashboard where I would be able to see logs from all the 3 data gateways as soon as I login to the Qradar console.
Note: I have created a search in log activity tab for one data gateway and used that search in dashboard. but that's only displaying logs from one data gateway , I need to use all 3 data gateway IP addresses .host names in one search.

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------

​Hi Sree and Jean,

Yes I grouped the events by source IP and the checkbox got enabled and I was able to add that search item in my dashboard. However the dashboard was still not getting loaded so I googled a little bit and found below,

"By default, QRadar only "accumulates" the last one minute of data in dashboards.

To make it capture more than one minute, you'll have to make use of the "Capture Time Series Data" checkbox in the dashboard panel settings. This option tells QRadar to "capture more than one minute for dashboards". So, check that box, choose the time range you want, and click save. You'll then notice that the selection in "Value to Graph" will have an asterisk (*) next to it (for example, Event Count will be come * Event Count); this indicates that this value has "Capture Time Series Data" enabled.

You won't see anything right away though, because it just starts "accumulating" (or "capturing time series data") from now. So (I think) you'll have to wait for the next refresh (one minute). Either that, or you'll have to wait for the next cycle of the time range (for example, if you chose Last 5 minutes, then you might have to wait for 5 minutes to pass in order to see the dashboard)."

Now I can see the dashboard data.

Thanks

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------

Original Message:
Sent: Mon July 01, 2019 09:13 AM
From: SREE ANANTHASAYANAM
Subject: Need help with Dashboardin qradar

Hi
As mentioned by Jean-Luc Labbe, the search needs to be aggregated.  In your specific example, use the drop down Display > Source IP to add the Group By value to the above search.
As mentioned, take some time exploring apps. They may provide additional features.
Regards.
Sree

------------------------------
SREE ANANTHASAYANAM

Original Message:
Sent: Mon July 01, 2019 06:31 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi Sree,

Thanks you so much for your assistance. Here are findings,
I created a single search for all the three data gateways and also ran the search where I can see events from all the 3 data gateways. However while saving the search, everything looks fine but the  check box which says "Include in my dashboard" is gray out.
When hover the mouse the message says ""Non group by searches can not be added to the dashboard"

What does this message mean and I have added this search to one of the available groups and have named the  search still the checkbox is not enabled for me.


------------------------------
Asif Siddiqui

Original Message:
Sent: Tue June 25, 2019 06:54 AM
From: Asif Siddiqui
Subject: Need help with Dashboardin qradar

​Hi All,

Here is my situation, Currently we are using Qradar on cloud (QROC)  and we have three data gateways which are managed by Third party.
Everyday as  part of health check, I run a log search in log activity tab and check and verify if we are receiving logs from all the three data gateways.

My query is how do I create a  dashboard where I would be able to see logs from all the 3 data gateways as soon as I login to the Qradar console.
Note: I have created a search in log activity tab for one data gateway and used that search in dashboard. but that's only displaying logs from one data gateway , I need to use all 3 data gateway IP addresses .host names in one search.

Regards
Asif Siddiqui

------------------------------
Asif Siddiqui
------------------------------