QRadar is used to create dashboards and visualizations of QRadar data.
Data Collection Sources
When QRadar Pulse renders visualizations, it might collect and cache QRadar data from the Ariel database and QRadar offense API endpoints. During normal usage of the app, QRadar Pulse might also collect and cache QRadar user capability information. During normal operation, the app might log error and debug messages.
Data queries that return data larger than 1000 rows are cached within the app container. This cache occurs that so the visualization can be manipulated without requerying the data source.
When a dashboard item is created, some metadata might be attached to the item, such as the date of creation and the author. This data is only used for information purposes, and only when the item is displayed to the user.
The cached user capability information is used to assess which parts of the application a user has access to, without continually querying QRadar.
Logs, which might include the current user's details, are typically used by developers and system administrators to identify and debug software issues.
By default, cached data queries are retained for 15 minutes by default. A background process automatically removes potentially cached items after one day.
User-created dashboards and dashboard items are retained until the user decides to delete them. If a user cannot delete their own items (for example, they can no longer authenticate to QRadar), an administrative API is available to delete all artifacts that are created by a user. This API can also be used to remove any cached information, including permissions, that relates to this user.
Logs are rotated (deleted) based on a configuration setting. By default, this setting is configured to 30 days. Logs, data, and caches are removed if the app is uninstalled.