Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

QRadar - Managing Reference Data

QRadar - Managing Reference Data

QRadar - Managing Reference Data

Background

Prior to QRadar release 7.2.8, configuring and maintaining Reference Data was actioned in one of two ways.

Reference Sets had their own icon in the Admin -> System Configuration section. This icon, when clicked, opens a list of all Reference Sets that are included in this system. These will be both user-generated and system-generated sets. Many of the new QRadar Apps will create and use Reference Sets as stores for transient data.
Reference Sets can be thought of as a single-column spreadsheet. Each element in the set must be of the same data type, for example, all names or all IP addresses.

The process of maintaining Reference Sets is very well know as they have been available for several years, the more complex types of Reference Data are less well known and in release 7.2.8 maintaining them became much, much easier.

Reference Data Types

There are four additional types of Reference Data: Maps; Map of Sets; Map of Maps and Tables.

The first Reference Data model, Maps, may be thought of as a two-column spreadsheet or a Key-Value pair. In this case the key may differ in type to the value but in the same way to the Reference Set, all keys must be the same data type as must all the values.

UKey1 Key1 Value1
UKey2 Key2 Value2
UKey3 Key3 Value 3
-
-
UKeyN KeyN ValueN

Layout of Map

The Map of Sets may be thought of as a multi-line spreadsheet with each line having a variable number of columns. The first column of each line contains a unique Key followed by a variable number of columns containing values. The same restrictions apply to a Map of Sets as to a Reference Set, all values must be of the same data type.

UKey1 Value1 Value2 Value3
UKey2 Value4 Value5 Value6 Value7 Value8
UKey3 Value9
-
-
UKeyN Value10 Value11 - - ValueN

Layout of map sets

The Map of Maps is similar to the Map of Sets in that it is a multi-line, multi-column data store. In this case the first column is used for the unique key and then there are a variable number of two-column pairs each pair being a Key and a Value.

UKey1 Key1 Value1 Key2 Value2
UKey2 Key3 Value3 Key4 Value4 Key5 Value5
UKey3 Key6 Value6
-
-
UKeyN Key7 Value7 - - KeyN ValueN

Layout of a Map of Maps

A Reference Data Table is the most complex and perhaps the most difficult to fully understand. Simplistically it performs as a rudimentary database where each record revolves around a single key. For example, the key could be the username and the data could be all the work elements surrounding that user, PC hostname, PC Model, location, department, etc. The process would be to create a primary key (-key1Label) then define the key types (-keyType) and then the value for each key type for each user.

The following schematic view shows the layout of this Table.

Username1 KeyType1 Hostname1 KeyType2 Model1 KeyType3 Location1 KeyType4 Department1
Username2 KeyType1 Hostname2 KeyType2 Model2 KeyType3 Location2 KeyType4 Department2
Username3 KeyType1 Hostname3 KeyType2 Model3 KeyType3 Location3 KeyType4 Department3
-
-
UsernameN KeyType1 HostnameN KeyType2 ModelN KeyType3 LocationN KeyType4 DepartmentN

Layout of a simple table

Maintenance

There is now an App that provides a list of all the Reference Data entities in the QRadar system and the capability to maintain them without resorting to the Command Line Interface. The App is called Reference Data Management and is available on IBM’s X-Force Exchange. After installing the App, an icon is displayed under the Plug-ins heading in the left-hand-side menu. Clicking this icon brings up the list of all Reference Data and within this list, double-clicking on an entry brings up a schematic of the file and from this panel entries may be added, up or downloaded or deleted.

IBM Reference Data Manager Lite