Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

QRadar SIEM: Customising The Right-Click Menu

QRadar SIEM: Customising The Right-Click Menu

QRadar SIEM: Customising The Right-Click Menu

By default the right click plug-in menu in QRadar includes X-Force Exchange Lookup, you can expand the menu option for IP address lookups by customising the ip_context_menu.xml file.

X-Force Exchange Lookup

http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.d...

About this task

The ip_context_menu.xml file accepts menuEntry XML nodes to customize the right-click menu.

<menuEntry name="{Name}" description="{Description}" exec="{Command}"
url="{URL}" requiredCapabilities="{Required Capabilities}"/>

The following list describes the attributes in the menuEntry element:

Name

The text that is displayed in the right-click menu.

Description

The description of the entry. The description text is displayed in the tooltip for your menu option. The description is optional.

URL

Specifies the web address that opens in a new window.

You can use the placeholder %IP% to represent the IP address. The ampersand character (&), the left angle bracket (<), and the right angle bracket (>) must be escaped using the strings &, <;, and >; respectively.

For example, to pass a URL with multiple parameters that includes a placeholder for the IP address, you can use this syntax: url="/lookup?&amp;ip=%IP%;force=true"

Command

A command that you want to run on the IBM® Security QRadar® Console. The output of the command is displayed in a new window. Use the placeholder, %IP%, to represent the IP address that is selected.

Required Capabilities

Any capabilities, for example, "ADMIN", that the user must have before they select this option, comma-delimited. If the user does not have all capabilities that are listed, the entries are not displayed. Required capabilities is an optional field.

The edited file must look similar to the following example:

<?xml version="1.0" encoding="UTF-8"?>
<!- This is a configuration file to add custom actions into
the IP address right-click menu. Entries must be of one of the
following formats: -->
<contextMenu>
<menuEntry name="Traceroute" exec="/usr/sbin/traceroute %IP%" />
<menuEntry name="External ARIN Lookup" url="http://ws.arin.net/whois/?queryinput=%IP%" />
<menuEntry name="Domain Crawler" url="http://www.domaincrawler.com/ip/view/%IP%" />
<menuEntry name="Domain Hosting info" url="http://onsamehost.com/%IP%" />
<menuEntry name="External ARIN Lookup" url="http://ws.arin.net/whois/?queryinput=%IP%" />
<menuEntry name="HoneyNet Project lookup" url="http://www.projecthoneypot.org/ip_%IP%" />
<menuEntry name="McAfee trusted source" url="http://www.trustedsource.org/query/%IP%" />
<menuEntry name="ORBL Blacklist search" url="http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a%IP%" />
<menuEntry name="RobTexLookup" url="http://www.robtex.com/ip/%IP%.html" />
<menuEntry name="SANS IP Lookup" url="http://isc.sans.org/ipinfo.html?ip=%IP%" />
<menuEntry name="senderbase" url="http://www.senderbase.org/senderbase_queries/detailip?search_string=%IP%" />
<menuEntry name="Spamhaus" url="http://www.spamhaus.org/query/bl?ip=%IP%" />
<menuEntry name="Google Search" url="http://www.google.com/search?q=%IP%" />
</contextMenu>

Procedure

  1. Using SSH, log in to IBM Security QRadar as the root user
  2. On the QRadar server, copy the ip_context_menu.xml file from the /opt/qradar/conf/templates directory to the /opt/qradar/conf directory
  3. Open the /opt/qradar/conf/ip_context_menu.xml file for editing
  4. Edit the attributes in the menuEntry element
  5. Save and close the file
  6. To restart services, type the following command: service tomcat restart

Where can I find more information?

http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.d...
Related: http://www-01.ibm.com/support/docview.wss?uid=swg21718515