QRadar content extensions
Use content extensions to update IBM® QRadar® security template information or add new content such as rules, reports, searches, logos, reference sets, custom properties.
Types of QRadar content extensions
All apps and content extensions are hosted on the IBM X-Force Exchange portal (https://exchange.xforce.ibmcloud.com/), where you can filter by content type such as custom AQL function or custom property. You can use content extensions can be used in conjunction with apps.
The following table describes the types of content extension that you can deploy in QRadar.
Content extension type | Enhancement type | Description |
---|---|---|
Dashboard | Data | An associated set of dashboard items, which you view on the Dashboard tab in QRadar. Dashboard items are widgets are visual representations of saved search results. |
Reports | Data/Functionality | Templates for reports that are built upon saved event or flow searches. Generate on-demand reports or schedule them to run at repeating intervals. |
Saved searches | Data | A set of search criteria (filters, time window, columns to display or group data by). By saving the criteria of commonly run searches, you don't need to define them repeatedly. Saved searches are required for reports and dashboards. |
FGroup | Data | A group of similar items by type, such as a group of log sources, a group of rules, a group of searches, or a group of report templates. FGroups are used as organizational units. |
Custom rules | Data | A set of tests that are run against events or flows that enter the system. The rule is triggered when the tests match the input. Rules can have responses which are actions that are triggered when the rule is triggered. Responses can include actions such as generating an offense, generating a new event, sending an email, annotating the event, or adding data to a reference data collection. |
Custom properties | Data | Defines a property that is extracted or derived from an inbound event or flow. Can be based on a regular expression that extracts a subset of a particular event or flow payload as a textual property. They can be based on calculations, and perform an arithmetic operation on existing numeric properties of the event or flow. |
Log source | Data | A representation of a source of events such as a server, mainframe, workstation, firewall, router, application, or database. Any events that enter QRadar and originate from that source are attributed to the log source. Log sources contain the configuration information that is needed to receive inbound events, or to pull event data from the event source. Log sources contain information that is specific to your environment such as IP address or host name and other possible configuration parameters. |
Log source extensions | Data | A parsing logic definition that is used to synthesize a custom DSM for an event source for which there is no existing DSM. Use log source extensions to enhance or override the parsing behavior of an existing DSM. |
Custom QID map entries | Data | A combination of Event name, Event description, Severity, and Low-level category values that are used to represent a particular type of event that a log source might receive. Custom Qid map entries are created to supplement the default QID map that QRadar provides for events that are not officially supported by QRadar. |
Reference Data Collection | Data | A container definition that is represented as either a set, a map, a map of sets, a map of maps, or a table for holding reference data. Searches and rules can reference Reference data collections. |
Historical Correlation Profile | Data | A combination of a saved search and a set of one or more rules. Use historical correlation profiles to test rules by rerunning a set of historical events through an offline version of the custom rule engine that has a subset of rules enabled. |
Custom Functions | Functionality | A SQL-like function (defined in JavaScript) that you can use in an Advanced search to enhance or manipulate data |
Custom Actions | Functionality | A custom response for a rule to run, when the rule is triggered. Custom actions are defined by a Python, Perl, or Bash script that can accept arguments from the event or flow data that triggered the rule. |
For more information about content management, see the IBM QRadar Administration Guide