IBM Xforce Exchange Qradar Incident App Overview

What is Xforce Exchange app ?

Here are some links explaining exactly it , 

We will be focusing on Qradar  Incident Overview App ,

Incident Overview App allows an easy way to visualize offense which are live on Qradar SIEM .

Each offense is show as a bubble , offense with mutual Indicators will be connected with a blue line to show us we have same Indicators like Source IP .

To understand more i have written a simple 6 steps guide for this APP.

 Step 1: Downloading the  Incident Overview app

Enter XForce Exchange site – exchange.xforce.ibmcloud.com

Just click on the menu icon on the left side of the bar and choose App Exchange tab .

Than click on All Application and choose  Incident Overview.

Download  Incident Overview using your IBM ID .



Step 2 : Downloading MaxMind “City” database 


Please download GeoLite2 City DB format and not CSV.

Step 3 : Upload Incident Overview Extension to Qradar 

Entering qradar machine and choosing admin tab , 
Enter Extension Management and upload the Incident Overview App which we download on step 1.


 Make Sure you installed the extension with success status , it should like below.


Step 4: Authoriztion Token 

Entering qradar machine and choosing admin tab ,
Enter Authorized Services and create a new token for API access.

Add Authorized Service , Name it and use no Expiry .
After creating \ saving the service , copy the authentication token . (Save it for later)

Step 5 : Incident Overview tab 

Enter Offense tab , and press on the Incident Overview button. 

Once opened on the new windows click on right corner (Configuration )

Choose Polling tab , enter the API Token we created on step 4 and click on save.

Next , enter GeoIP Lookup Tab , click on browse and upload the GeoIP city database we download before on step 2,

After successfully uploading Geo City database.

Update needed fildes like time zone , country and etc . 
Time zone value can be GMT for example , finish editing and click save.

Now we are done and can wait for the the APP to pull offenses data.


Step 6 : Using Incident Overview App

IBM knowledge center link 
You must have QRadar administrator privileges to access and use the Incident Overview app

Each bubble in the Recent Incidents bubble graph represents an offense , the blue line shows a connection between two offenses like username ,ip and etc.
Once an offense is clicked a new tab is opened and extra data shows.
As the screen below shows we can see extra data on the involved IP dst and src.
clicking on the blue dot , enables entering the ips directly to Xforce Exchange.

I urge you to play with the offense App.

As always feel free to ask any question here or by mail gregorin[@]qmasters.co.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at michelled@qmasters.co...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram