IBM Xforce Exchange Qradar Incident App Overview

What is Xforce Exchange app ?

Here are some links explaining exactly it ,

We will be focusing on Qradar  Incident Overview App ,

Incident Overview App allows an easy way to visualize offense which are live on Qradar SIEM .

Each offense is show as a bubble , offense with mutual Indicators will be connected with a blue line to show us we have same Indicators like Source IP .

To understand more i have written a simple 6 steps guide for this APP.

 Step 1: Downloading the  Incident Overview app

Enter XForce Exchange site –

Just click on the menu icon on the left side of the bar and choose App Exchange tab .

Than click on All Application and choose  Incident Overview.

Download  Incident Overview using your IBM ID .



Step 2 : Downloading MaxMind “City” database 

Please download GeoLite2 City DB format and not CSV.

Step 3 : Upload Incident Overview Extension to Qradar 

Entering qradar machine and choosing admin tab , 
Enter Extension Management and upload the Incident Overview App which we download on step 1.


 Make Sure you installed the extension with success status , it should like below.


Step 4: Authoriztion Token 

Entering qradar machine and choosing admin tab ,
Enter Authorized Services and create a new token for API access.

Add Authorized Service , Name it and use no Expiry .
After creating \ saving the service , copy the authentication token . (Save it for later)

Step 5 : Incident Overview tab 

Enter Offense tab , and press on the Incident Overview button. 

Once opened on the new windows click on right corner (Configuration )

Choose Polling tab , enter the API Token we created on step 4 and click on save.

Next , enter GeoIP Lookup Tab , click on browse and upload the GeoIP city database we download before on step 2,

After successfully uploading Geo City database.

Update needed fildes like time zone , country and etc . 
Time zone value can be GMT for example , finish editing and click save.

Now we are done and can wait for the the APP to pull offenses data.


Step 6 : Using Incident Overview App

IBM knowledge center link 
You must have QRadar administrator privileges to access and use the Incident Overview app

Each bubble in the Recent Incidents bubble graph represents an offense , the blue line shows a connection between two offenses like username ,ip and etc.
Once an offense is clicked a new tab is opened and extra data shows.
As the screen below shows we can see extra data on the involved IP dst and src.
clicking on the blue dot , enables entering the ips directly to Xforce Exchange.

I urge you to play with the offense App.

As always feel free to ask any question here or by mail gregorin[@]


Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Subscribe to “Cyber by QMasters” to stay in-the-know!
Don’t worry, it’s once a month.

Contact Us.