Open a dashboard into a separate window; for example on a SOC wall. Select a specific dashboard to be the default dashboard every time you log in. Pin dashboards or dashboard items to individual windows.
- Rearrange the layout of the dashboard item cards as you like, including the Parameters card. Resize the items to focus on certain ones.
- View the dashboard item. Depending on the chart view you
use, several options for viewing the chart are available from the More options menu or as individual icons:
Refresh the chart content immediately to see changes, instead of waiting for the next scheduled refresh time.
Toggle the chart settings to see all the available views of the data.
Open the dashboard data in the corresponding Log Activity or Network Activity tabs to see more details.
If a dashboard item contains parameters with no values, the menu options for Log Activity and Network Activity aren't displayed.
Zoom or pan the chart to focus your view on specific areas.
Adjust the chart displays by toggling the legend markers on or off to focus on key metrics.
Reset the chart axes after you zoom or pan the chart.
Enable or hide branding for pinned dashboards and dashboard items.
Scale the size of the chart display in an expanded window, and easily restore the default. Toggle the scale on and off. The scale floats over the bottom of the window while you adjust the scale, and disappears when you move away from the scale.
- Open a dashboard item or dashboard to display in a new window on a SOC monitor.
- Pin or unpin a dashboard item or dashboard after you open
it in a separate window. Restore all of your pinned windows after
they are closed.
If a pinned dashboard item or a dashboard contains parameters, the pinned window saves the parameter values at the point in time that the window was pinned.
If you change the parameter values in the original dashboard or item, and then close and reopen the pinned window, the parameters in the pinned window aren't affected.
If you edit the original dashboard or item to add or delete parameters, and then close and reopen or refresh the pinned window, the parameters in the window are affected. Refresh your window to display the changes.
If you move the Parameters card of a dashboard item to a different position in an expanded window, and then close and reopen the window, the card returns to the original position.
You can edit the parameters of the pinned window by using the Parameters card in the window. In SOCs where pinned windows can stay open on separate monitors for a long duration, it can be useful.
- Remove items from a dashboard when the items no longer
apply or delete dashboards when they no longer apply.
Removing an item from a dashboard does not delete it from the app. Deleting a dashboard doesn't delete the dashboard items from the app.
Changing the View Of Dashboard Item Data
You can change or add different views of dashboard items in your dashboards so that you can see data from other perspectives.
In this scenario, you want to add a pie chart view of the Events per user chart to the Miscellaneous metrics dashboard. By default, the dashboard displays the bar chart view.
- To change the view of a dashboard chart, click >More
options Settings to flip the card,
and select the view to display.
The setting is lost under the following circumstances:
You edit another dashboard item within the same dashboard and then return to view the chart again.
You move to another dashboard and then return to the previous one.
You log out of QRadar.
The default view displays. To avoid this behavior, follow step 2.
- To add another view of the dashboard chart, complete the
From the Miscellaneous metrics dashboard, click Manage Dashboard Items, and scroll down the list to find the item names of the chart view you want to add to the dashboard.
Click Add for each view you want to add to the dashboard, and click Done.
Both chart views are available on the dashboard.
Visualizing Security Incidents on the Threat Globe Dashboard
The 3D threat globe dashboard displays where incidents are occurring. Threat researchers can use the visualization to see whether the same attacks are happening everywhere across the globe or just at specific customer sites.
The threat globe gathers initial data to populate the 3D globe, so it might take a few minutes to complete the visualization.
QRadar Pulse 2.1.6 on QRadar 7.3.1 or later uses the QRadar MaxMind database. QRadar Pulse uses the following order of precedence to find the geographical locations:
Looks at the network hierarchy (in QRadar 7.3.1 or later. If you're using 7.3.0, QRadar Pulse starts its process at step 2.)
Checks in the MaxMind database QRadar Pulse.
Checks in the MaxMind database in QRadar 7.3.1 or later.
Checks the QRadar Pulse configuration screen to verify that the latitude and longitude are properly set.
- Select the event categories that you want to see on the
globe. Click Filter Categories to display the list of offense
categories. By default, all categories are selected.
To add or remove a category from the top list, select it.
To set the new categories, click Done.
- Rotate the globe to focus on a country or continent. Events
are plotted on the 3D globe according to their location in a country.
Turn off the auto-rotate function and then zoom in to focus on a country.
Click and drag the globe to change the angle. Use the following legend
to understand what you see on the globe:
Magnitude: Specifies how bad the offense is. The height of the visual spike on the globe indicates the severity of the offense.
The magnitude rating of an offense is calculated based on relevance, severity, and credibility.
Relevance determines the impact of the offense on your network. For example, if a port is open, the relevance is high.
Credibility indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. Credibility increases as multiple sources report the same event.
Severity indicates the level of threat that a source poses in relation to how prepared the destination is for the attack.
Frequency: The size of the circles on the globe indicates the frequency of new events that are coming in to the threat globe.
Frequency trending: If the concentric circles continue to expand outwards, the frequency of offenses is increasing.
Source to destination: The path arcs from the source IP to the destination IP.
- Hover over a security event category. Unrelated low-level
categories are filtered from the top five low-level categories and
the event rate chart.
- Hover over the top five low-level categories to see which
high-level security event category they belong to.
- The Offenses section initially displays the top 10 offenses
with recent activity that are currently open, sorted by severity,
credibility, and relevance. As the app runs, the list is supplemented
with new offenses from recent events. Click an offense to investigate
- The timeline graph at the bottom of the page shows the
last 15 minutes (default) of real-time activity. Pause the timeline
and then rewind it to replay the events as they came into the threat
globe. Hover over the timeline to see the date and time. The event
rate is a running list of the events as they come in. When you pause
the timeline, the event rate also pauses.
You can customize the length of time of the real-time activity on the Configuration page.
By default, there is a 10-minute (600 seconds) delay from when QRadar collects an offense to when it is displayed in the threat globe.
The threat globe's filtering is not based on whether an offense is active or inactive. Instead, it shows open offenses with events that fall within an approximate 15-minute time frame after a real-time delay of around 10 minutes.
- The Event rate chart displays the rate at which security
events are collected by QRadar before they're visualized
in the threat globe. In the screen capture, the number on the right
reflects the total events that came in during 1 minute. The number
on the left reflects the number for the event categories that are
selected in the Security events section. Hover over the lines to display
the high-level category. Events that are filtered from the Security
Event categories appear as gray lines.
Event Categories That Are Visualized in the Threat Globe Dashboard
Event categories are used to group incoming events for visualizing by the Threat Globe. Events that occur on your network are aggregated into high-level and low-level categories. Each high-level category contains low-level categories and an associated severity level and ID number.
Table 1: Event Categories
Security event category
Authentication and access controls that are used for monitoring network events.
Events that are related to application activity, such as email or FTP activity.
Events that are related to asset profiles. Asset profiles provide information about each known asset in your network, including what services are running on each asset.
Events that are related to audit activity, such as email or FTP activity.
Events that are related to authentication, sessions, and access controls that monitor users on the network.
Events that are generated from a custom offense, flow, or event rule.
Events that are related to your hardware system.
Events that are related to denial-of-service (DoS) attacks against services or hosts.
Events where communication or access exploits occurred.
A single transmission of data that passes over a link during a conversation.
Events that are related to administration of network policy and the monitoring network resources for policy violations.
Events that are related to potential application exploits and buffer overflow attempts.
Events that are related to scanning and other techniques that are used to identify network resources.
Events that are related to QRadar Risk Manager.
Risk Manager Audit
Events that are related to QRadar Risk Manager audit events.
Events that are related to user interaction with the QRadar Console and administrative features.
Events that are related to sense user behavior analytics.
Events that are related to viruses, Trojan horse programs, back door attacks, and other forms of hostile software.
Events that are related to system changes, software installation, or status messages.
A graphical representation of network connections over time.
Events that are not parsed and therefore cannot be categorized.
Events that are related to user-defined objects.
VIS Host Discovery
When the VIS component discovers and stores new hosts, ports, or vulnerabilities that are detected on the network, the VIS component generates events. These events are sent to the Event Collector to be correlated with other security events.
Investigating the Details Of an Offense from the Threat Globe Dashboard
Conduct a more comprehensive investigation by studying the details of a particular offense.
- From the main global view, click an offense to open the Offense Details page. The visualization display expands to
show you the selected offense and where it is occurring on the 3D
- Click View full details to get detailed information in a separate browser tab.
- Click the Pulse tab (or click the left arrow) to return to the original screen with refreshed content.
Visualizing the Average Magnitude of an Event on a Geographic Chart
In this example, you set the source and destination IP addresses, edit the colors that display on the scatter geo chart, and set the chart to auto rotate in the dashboard.
To ensure that the map renders properly in QRadar Pulse, your browser must be connected to the Internet.
- Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets, with details about each widget.
- Click Create new widget.
- On the New Dashboard Item page, enter Magnitude of events as the name and provide a description.
- Select AQL as the data source, set the Refresh
Time to every 5 minutes, and enter the following AQL query in the AQL Statement field:
SELECT sourceip as 'Source IP', destinationip as 'Destination IP', AVG(magnitude) as 'Average Magnitude', count(*) as 'Number of Events', GEO::LOOKUP(destinationip, 'geo_json') as destinationGeo, GEO::LOOKUP(sourceip, 'geo_json') as 'sourceGeo' from events group by 'Source IP'
- Set the Results Limit to 1000, and click Run Query.
- Configure the chart display. In the Views section of the page, enter Magnitude of events as the View Name and select Geographic Chart as the chart type.
- On the General tab, select sourceGeo in the Geographic
Data field, and click the More options icon.
Leave the Axis Label as sourceGeo.
Select sourceGeo as the Hover Text.
greencolor, and size
5for the data point.
Click the More options icon to minimize the selected row.
- Click Add Series, select destinationGeo, and repeat step 7. In step 7 (c),
change the values to a
pinkcolor, and size
8for the data point.
- Select Globe (Orthographic) for the Projection.
- Set Show Legend to Yes, and pick the Vertical legend orientation.
- On the Thresholds tab, click Add Threshold
Indicator. You can apply thresholds only if the AQL query contains
numeric columns, such as Average Magnitude, Number of Events and count(*).
Select a threshold indicator, and click the More options icon.
Select a column, add a threshold value, and then click Add Threshold.
Change the option or use the default options. Add as many threshold values as you need.
Optional: For the Point Color threshold, select a color scale mode to display on the dashboard item.
- Optional: Pick a scale mode to display for the Point Color threshold. The color scale mode displays under the legend on the dashboard item.
- On the Map tab, enable all of the options except for Display Grid.
- Pick colors for the lines, land, water, borders of the map. Choose whether to display the map grid or not.
- On the Viewport tab, configure the latitude, longitude, and scale for how the map displays in the dashboard item. When you're happy with the preview display, click Set latitude, longitude, and scale as seen in the preview.
- Click Save.
- Optional: Click the Settings icon on the dashboard item, and toggle the Autorotate Globe switch.