Customizing the right-click menu

To provide quick access to functions related to IP addresses, customize the Plugin options in the IP address right-click menu. For example, you can add more menu items, such as an option to lookup the IP address in a threat intelligence database.

About this task

The ip_context_menu.xml file controls the available options in the right-click menu and accepts menuEntry XML elements. To add more options, add a menuEntry element for each right-click option that you want to add. The syntax for the menuEntry element is: 
<menuEntry name="{Name}" description="{Description}" url="{URL}"
requiredCapabilities="{Required Capabilities}"/>
<menuEntry name="{Name}" description="{Description}" 
exec="{Command}" requiredCapabilities="{Required Capabilities}"/>
The following list describes the attributes in the menuEntry element:
Name
The text that is displayed in the right-click menu.
Description
The description of the entry. The description text is displayed in the tooltip for your menu option. The description is optional.
URL
Specifies the web address that opens in a new window.

You can use the placeholder %IP% to represent the IP address. The ampersand character (&), the left angle bracket (<), and the right angle bracket (>) must be escaped using the strings &amp;, &lt;, and &gt; respectively.

For example, to pass a URL with multiple parameters that includes a placeholder for the IP address, you can use this syntax: url="/lookup?&amp;ip=%IP%;force=true"

Command
A command that you want to run on the IBM®QRadar® Console. The output of the command is displayed in a new window. Use the placeholder, %IP%, to represent the IP address that is selected.
Required Capabilities
Any capabilities, for example, "ADMIN", that the user must have before they select this option, comma-delimited. If the user does not have all capabilities that are listed, the entries are not displayed. Required capabilities is an optional field. For more information about required capabilities, see the IBM QRadar Application Framework Developer Quick Start Guide.
The edited file must look similar to the following example: 
<?xml version="1.0" encoding="UTF-8"?>
<!- This is a configuration file to add custom actions into
the IP address right-click menu. Entries must be of one of the
following formats: -->
<contextMenu>
<menuEntry name="Traceroute" exec="/usr/sbin/traceroute %IP%" />
<menuEntry name="External ARIN Lookup"
url="http://ws.arin.net/whois/?queryinput=%IP%" />
</contextMenu>
Important: Calling shell scripts or programs from the right-click menu or any other web interface can introduce security vulnerabilities such as OS command injection or path traversal attacks. Consider more secure methods, such as implementing a QRadar app extension.

Procedure

  1. Using SSH, log in to the QRadar Console as the root user.
  2. On the QRadar Console, if the ip_context_menu.xml file does not exist under the /opt/qradar/conf directory, copy the ip_context_menu.xml file from the /opt/qradar/conf/templates directory to the /opt/qradar/conf directory.
  3. Open the /opt/qradar/conf/ip_context_menu.xml file for editing.
  4. Edit the file to add, modify, or remove menuEntry XML elements.
  5. Save and close the file.
  6. To apply these changes, restart the QRadar GUI by typing the following command:

    systemctl restart tomcat