QRadar - Managing Reference Data
Prior to QRadar release 7.2.8, configuring and maintaining Reference Data was actioned in one of two ways.
Reference Sets had their own icon in the Admin -> System Configuration section. This icon, when clicked, opens a list of all Reference Sets that are included in this system. These will be both user-generated and system-generated sets. Many of the new QRadar Apps will create and use Reference Sets as stores for transient data.
Reference Sets can be thought of as a single-column spreadsheet. Each element in the set must be of the same data type, for example, all names or all IP addresses.
The process of maintaining Reference Sets is very well know as they have been available for several years, the more complex types of Reference Data are less well known and in release 7.2.8 maintaining them became much, much easier.
Reference Data Types
There are four additional types of Reference Data: Maps; Map of Sets; Map of Maps and Tables.
The first Reference Data model, Maps, may be thought of as a two-column spreadsheet or a Key-Value pair. In this case the key may differ in type to the value but in the same way to the Reference Set, all keys must be the same data type as must all the values.
Layout of Map
The Map of Sets may be thought of as a multi-line spreadsheet with each line having a variable number of columns. The first column of each line contains a unique Key followed by a variable number of columns containing values. The same restrictions apply to a Map of Sets as to a Reference Set, all values must be of the same data type.
Layout of map sets
The Map of Maps is similar to the Map of Sets in that it is a multi-line, multi-column data store. In this case the first column is used for the unique key and then there are a variable number of two-column pairs each pair being a Key and a Value.
Layout of a Map of Maps
A Reference Data Table is the most complex and perhaps the most difficult to fully understand. Simplistically it performs as a rudimentary database where each record revolves around a single key. For example, the key could be the username and the data could be all the work elements surrounding that user, PC hostname, PC Model, location, department, etc. The process would be to create a primary key (-key1Label) then define the key types (-keyType) and then the value for each key type for each user.
The following schematic view shows the layout of this Table.
Layout of a simple table
There is now an App that provides a list of all the Reference Data entities in the QRadar system and the capability to maintain them without resorting to the Command Line Interface. The App is called Reference Data Management and is available on IBM’s X-Force Exchange. After installing the App, an icon is displayed under the Plug-ins heading in the left-hand-side menu. Clicking this icon brings up the list of all Reference Data and within this list, double-clicking on an entry brings up a schematic of the file and from this panel entries may be added, up or downloaded or deleted.