Defining new applications

IBM® QRadar® shows the name of the flow application on the Network Activity and Offenses tabs. You can define new applications or change the name that is shown for existing applications.

About this task

When you specify an application, the <appid> number must be unique. For custom applications, assign numbers that are in the 15,000 - 20,000 range. Within each application, you can define up to five levels of categorization, but QRadar displays only the first three categories.

New in 7.4.3 You can use the new flow applications API to manage the mapping of application IDs to application name.

Always configure the applications in the staged configuration area, which can be accessed by using the following API endpoint:
  • staged_config/flow/applications/active_applications
After you update the application configuration in the staged configuration area, you must deploy the changes to propagate the updates to the system. After the changes are deployed, you can use the following endpoints to access the flow applications in the deployed configuration:
  • config/flow/applications/active_applications

    The active configuration shows the list of applications that are currently in use.

  • config/flow/applications/default_applications

    The default application list is read-only. Default applications are provided as a system backup in case the configuration for an active flow application is deleted or changed.

7.4.2 and earlier To manage the flow application mappings in earlier versions of QRadar, you must manually edit the apps.conf file. When you define new applications in the apps.conf file, use the following syntax:
<appname><appid>

For each application, you can define up to five levels of categorization, and each subcategory is separated by a number sign (#). If an application contains fewer than five categories, include a number sign in place of each missing subcategory.

For example, to add Authentication#Radius-1646####51343 as an application ID, insert the application ID as follows:
Authentication#Radius-1645####51342
Authentication#Radius-1646####51343 <- inserted application
Authentication#Radius-1812####51344
Authentication#Radius-1813####51345

Procedure

  1. To change the application mappings in QRadar7.4.3, use the RESTful API.
    1. Access the interactive API documentation interface by entering the following URL in your web browser: 
      https://ConsoleIPaddress/api_doc/
    2. Select API version 16, and go to the staged configuration endpoint: 
      /api/staged_config/flow/applications/active_applications
    3. Complete the request parameters.
      For example, you might POST the following parameters:
      {​
  "id": 15001,​
  "level_one": "String",​
  "level_two": "String",​
  "level_three": "String",​
  "level_four": "String",​
  "level_five": "String",​
}​
    4. Click Try it out to send the API request to your console and receive a properly formatted HTTPS response.
      Note: When you click Try it out, the action runs in the staging area on the QRadar system. Active applications that are in the staged configuration area are not yet deployed.
  2. To change application mappings in QRadar 7.4.2 and earlier, edit the apps.conf file.
    1. Using SSH, log in to QRadar as the root user.
    2. Edit the following file:

      /store/configservices/staging/globalconfig/apps.conf

    3. Insert the new applications, in alphabetical order.
    4. Save and exit the file.
  3. Log in to QRadar as an administrator.
  4. Click the Admin tab.
  5. On the toolbar, click Deploy Changes.

What to do next

Update the application mapping and applications signature files.