Tutorial

Enhance your security data visualization and analysis capabilities

Integrate IBM QRadar Suite with Grafana to improve the monitoring of security events

By

Rahul K P

In today's world, you need products that help your security teams outsmart threats with speed, accuracy and efficiency. That's where the IBM QRadar Suite comes into play. Along with Grafana, a visualization tool that unifies your existing data, wherever it lives, into a single dashboard, you can improve the monitoring of security events as well as aid in quicker response times by highlighting critical issues through effective data visualization.

The IBM Security QRadar Suite KQL plug-in helps you build visualizations directly from QRadar Suite data while also using Grafana for other data sources. The plug-in allows Grafana to connect to your QRadar Suite instance and retrieve data to present through visualizations.

In this tutorial, learn how to run Kusto Query Language (KQL) queries against your QRadar Suite KQL instance. A Grafana dashboard panel displays your query results. The Grafana plug-in distribution also includes sample dashboard JSON.

This tutorial covers:

  1. Installing the QRadar Suite plug-in in Grafana.
  2. Configuring the QRadar data source in Grafana.
  3. Creating a new dashboard in Grafana.
  4. Importing a dashboard in Grafana.
  5. Managing existing widgets in a dashboard.

Prerequisites

To follow this tutorial, you need the following:

  • IBM QRadar Suite: Ensure that you have administrative access to your QRadar instance.
  • Grafana: You need version 7.0 or newer installed.
  • QRadar Suite API credentials: These are user credentials with permission to access the QRadar APIs.
  • Grafana plug-in for QRadar: Depending on the Grafana version, ensure that you have the appropriate plug-in installed that can connect to QRadar Suite.

Steps

Step 1. Install the QRadar Suite plug-in in Grafana instance

To install the QRadar Suite plug-in in the Grafana instance:

  1. Navigate to your Grafana instance.

    plugins.png

  2. Click on the Hamburger menu at the upper left, and navigate to Administrations -> Plugins and Data..

  3. Click Plugins, and search for QRadar Suite.

    plugin1.png

  4. Click Install at the upper right.

    qradaqr-window.png

Step 2. Configure QRadar data source in Grafana

To configure the QRadar data source in Grafana:

  1. Navigate to Connection > Data Sources.
  2. Click Add new data source.

    new-data-source.png

  3. Search for QRadar Suite, and select QRadar Suite Plugin from the list.

    qradar-data.png

  4. Enter connection details.

    • Host: Enter the URL of your QRadar Suite endpoint.
    • API Key: Provide the API key or secret that you generate from the API Keys section of the QRadar Suite platform.

      api-keys.png

    • Account ID: Capture the Account ID from the Account Management section of the QRadar Suite platform.

      account-id.png

    • Verify SSL: If your QRadar API uses SSL, ensure that this option is checked (or unchecked if not using SSL).

      verify-ssl.png

  5. After providing all of the previous details, click Save & Test. If your connection is successful, you receive the following status.

    working-data-source.png

Note: Try to avoid any extra slashes (“/”) at the end of the HOST URL because this might make the connection be unsuccessful.

Step 3. Create a new dashboard in Grafana

To create a new dashboard:

  1. Navigate to the Hamburger menu at the upper left. Click Dashboards --> New -> New Dashboard.

    new-dashboard.png

  2. Click Add Visualization.

    add-visualization1.png

  1. From the list, select the Data Source as ibm-kql-datasource.

    data-source.png

  2. Provide your KQL Query in the following section, and click Run Query.

    kql-query.png

  3. Click Save, and you get the following screen to provide the dashboard details. Click Save again.

    save-dashboard.png

Step 4. Import a sample dashboard in Grafana

JSON files of preconstructed dashboards are available on the QRadar Suite KQL data source configuration page. You can use the sample dashboards as a reference for creating your own dashboards.

  1. Navigate to the Hamburger menu at the upper left. Click Administration > Data Sources.

    grafana-dashboard.png

  2. Select the QRadar Suite KQL plug-in data source from the table on the Data sources page.

    data-source2.png

  3. Click the Dashboards tab on the QRadar Suite KQL plug-in page.

  4. Find the row of the sample dashboard that you would like to import, and click Import.

    import.png

  5. Click the Dashboards icon (dashboard-icon.png(1)) from the navigation menu.

  6. Navigate to the Dashboard section to view the imported dashboard. You might need to refresh the tab to see the imported dashboard.

    imported-dashboard.png

  7. Click QRadar Suite KQL – Sample Dashboard that you imported.

    qradar-kql.png

The Sample Dashboard is displayed

Step 5. Manage the existing widgets in a dashboard

To manage the existing widgets:

  1. Click on the three dots in the upper right of the widget to access a range of options for managing the widget.

    circle-widget.png

  2. Click View to enlarge the widget, and press Escape on the keyboard to return it to its original position.

  3. Click Edit to modify the complete widget settings, and click Apply after making any setting modifications.

    widget-edit.png

  4. Click Share to distribute the dashboard using various methods.

    share.png

  5. Click Explore to view the underlying KQL query for this widget.

  6. Click Inspect to download the content of the widget in a CSV format, get the JSON model of the widget, and also get the associated KQL query.

    inspect.png

    inspect2.png

  7. Click More for additional options like Duplicate, Copy, and Create an Alert Rule with the widget data.

    more.png

Summary

In this tutorial, you learned how to successfully integrate IBM QRadar Suite with Grafana, enhancing your security data visualization and analysis capabilities. This integration not only improves the monitoring of security events but also aids in quicker response times by highlighting critical issues through effective data visualization.