IBM Security QRadar

 View Only
  • 1.  QRadar Pulse Dashboard with API problem

    Posted Fri February 16, 2024 09:31 AM

    Hi all,
    I am trying to create a dashboard for a customer and I noticed that when I use API to get data it does not filters per domain. So customer can see information's for all log source types and not the ones that applies to his environment. I will share with you 2 screenshots, one is the customer profile and the second is what sees in dashboard. Also API for log source types refers that: 

    Retrieves a list of log source types. If called by a user/authorized service with System Administrator, Security Admin, or Manage Log Source Types permissions, then all fields will be returned in each log source type. If called by a less privileged client, only name and ID are returned in each log source type.

    Any thoughts? 

    #IBMQRadar#API



    ------------------------------
    Christos Katsamakas
    ------------------------------


  • 2.  RE: QRadar Pulse Dashboard with API problem

    Posted Fri February 16, 2024 12:08 PM
    Edited by Jonathan Pechta Fri February 16, 2024 12:26 PM

    Pulse fetches data by running AQL through an API, so the question would be really related to AQL, are you trying to filter by Security Profile filtering, or specifying the domain through in the AQL?

    When you attempt to run the search from the Log Activity tab, does it return the expected results? I would think that the search would include the domainID that includes the results you are trying to return. For example, AND "domainId"='3' GROUP BY "Device_Name".

    If you are using the QRadar API directly, what features the user has access to is defined by the User Role assigned. Filtering for what users can see (data segregation), such as domains, networks, and log sources they are allowed to see if defined by their Security Profile. The Log Sources API can see all log sources, but it is probably easier to use AQL and just define a specific domain ID.

    We even just released a new Grafana plug-in that allows you to use AQL to query for data and display it in a GrafanaLabs or Granfana Cloud dashboard too. 


    ------------------------------
    Jonathan Pechta
    IBM Security - Community of Practice Lead
    jonathan.pechta1@ibm.com
    ------------------------------



  • 3.  RE: QRadar Pulse Dashboard with API problem

    Posted Mon February 26, 2024 06:41 AM

    Hi Jonathan,

    I used only API for retrieving the results and in the Security Profile the assigned domain is only customer's domain. Is there any other way to use a filter so the customer can see his log sources?

    Regards, 



    ------------------------------
    Christos Katsamakas
    ------------------------------