Step 7 (optional). Displaying events in a dashboard

A QRadar dashboard presents detection results in visual format. For example, a chart displays the ratio of the number of events of different types.

QRadar 7.2.6 Patch 3 or later is required. Using an earlier version can lead to incorrect results.

Adding a chart that displays the detection results of Feed Service in visual format involves three procedures:

  1. Create an event search.
  2. Add a chart to a dashboard.
  3. Adjust the added chart.

Creating an event search

The following procedure describes how to create an event search.

To create an event search:

  1. In QRadar Console, select the Log Activity tab.
  2. Select Search > New Search.
  3. In the Column Definition form, delete Event Name from the Available Columns list and add Event Name to the Group By list.

    Defining columns

  4. Scroll down the page and in the Search Parameters form, set KL_Threat_Feed_Service_v2 as the log source:
    1. In the Parameter drop-down list, select Log Source [Indexed].
    2. In the Operator drop-down list, select Equals.
    3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

    4. Click the Add Filter button.

      The Log Source is KL_Threat_Feed_Service_v2 string will be added to the Current Filters list.

    Setting the log source

  5. Click either the Filter button or the Save button to display the search result.
  6. Click the Save Criteria button.

    Save Criteria button

  7. In the Save Criteria form, select the Include in my Dashboard check box, type the name of the search in the Search Name text box, and then click OK.

    Saving criteria

Adding a diagram to a dashboard

The following procedure describes how to add a diagram to a dashboard.

To add a diagram to a dashboard:

  1. In QRadar Console, select the Dashboard tab.
  2. Select Add Item > Log Activity > Event Searches > KL_Events.

    Here, KL_Events is the name of the search that you set.

    Adding an item to the dashboard

    A chart will appear on the dashboard.

    New chart

Adjusting the added chart

The following procedure describes how to adjust the chart that has been added to the dashboard.

To adjust the added chart:

  1. Click the Settings button () in the upper-right corner of the chart box.
  2. Specify the settings of the chart.

    Chart settings

    If you select the Capture Time Series Data check box, the chart will display all incoming data received after this check box is selected; the item selected in the Time Range drop-down list will be ignored. If you clear the Capture Time Series Data check box, only the information received during the time range selected in the Time Range drop-down box will be displayed.

After events arrive, the chart displays them.

Bar chart

In the Chart Type drop-down list you can select the type of chart in which the data will be displayed.

Pie chart

You can also get information about charts, which are based on the search results, from QRadar Help (section "Dashboard management" > "Adding search-based dashboard items to the Add Items list").

Page top