Grafana-AQL integration for QRadar SIEM

guillermomartinez · November 7, 2024, 4:45pm

Hello.

I have been trying to make some custom AQL queries in Grafana to my IBM QRADAR Siem. But the query results are blank.
Also, I have tested the integrations, and I can see the default IBM QRADAR SIEM dashboards in my Grafana working Properly.

Do you know if there is any missconfiguration that i must check?

Thanks!

Regards,

yosiasz · November 7, 2024, 5:10pm

welcome @guillermomartinez

Are you including some filter on that query?

guillermomartinez · November 7, 2024, 6:07pm

Hello @yosiasz !

Yes, I’m using some filters in the AQL Filter. Also, I’m using some custon fields, but in the query inspector it saids that it found 0 results. I Test the same query in QRADAR, and it shows me the results, so, the query is working.

Thanks!

yosiasz · November 7, 2024, 6:32pm

so check the Query Inspector, copy the generated query and run it outside of grafana in some AQL query tool

also check browser console and network tab

guillermomartinez · November 7, 2024, 6:35pm

I done it using postman, for example, uing postman, doing exactly what is the api AQL Qeury proceess, and it work properly to.

yosiasz · November 7, 2024, 6:35pm

also check browser console and network tab. is it a rest api endpoint? can you post the json generated from postman?

are you using infinity?

guillermomartinez · November 7, 2024, 6:37pm

I’m not using infinity. I’m using the IBM QRADAR Plugin from Grafana

wiserunner615 · November 8, 2024, 8:03pm

I had the same problem and with the help of IBM support reviewing the dashboards that come with the plugin, we noticed that you have to specify the datatype of the custom property.

SELECT 
  LONG(starttime/(1000*60)) AS minute,
  starttime AS stime,
  "Events per Second Raw - Average 1 Min" AS double,
  STR(parent) AS str
FROM events
WHERE logsourceid=65 AND str IN (
  SELECT str 
  FROM (
    SELECT Parent as str,
    "Events per Second Raw - Average 1 Min" AS double
    FROM events
    WHERE parent <> NULL AND logsourceid=65
    GROUP BY str
    ORDER BY double DESC
    LIMIT 5
    $__timeFilter(starttime)
  )
)
GROUP BY minute, str
ORDER BY minute DESC
$__timeFilter(starttime)

So to grab a custom property with a space in the name. I have had to do the following STR(“Machine Identifier”).

wiserunner615 · November 21, 2024, 4:13pm

So the key factor is defining the data type for the custom property.

They plan on making it easier in future versions of the data source.

STR(parent) AS parent
OR
(“parent”) AS str

“Events per Second Raw - Average 1 Min” AS double
LONG(starttime/(1000*60)) AS minute

Topic		Replies	Views
Grafana + IBM QRadar Grafana	1	3470	January 14, 2022
Query metrics tab doesn't work! HELP Grafana	3	1871	June 2, 2022
Query REST API with JSON Plugin Configuration	14	6953	January 27, 2021
Annotations query results for custom plugin Grafana Plugin Development alerting , annotation	1	131	March 21, 2024
Need information about BUG #27374 Configuration	3	651	September 29, 2020

Grafana-AQL integration for QRadar SIEM

Related topics