IBM Support

Manually uninstalling the analytics scoring workflow in QRadar

How To


Summary

If you used the Extensions Management tool to uninstall the IBM QRadar Network Threat Analytics app, follow these steps to manually clean up the remnant data and workflows.

Objective

IBM QRadar 7.4.2+ includes analytic scoring capabilities for flows based on the data models that are created and maintained by the QRadar Network Threat Analytics app.  Correct analytics scoring in the app depends on having up-to-date data models.
Always uninstall the QRadar Network Threat Analytics app from the Configuration window inside the app. Using this method, the data models and analytics scoring workflow are removed.
If you use the Extensions Management tool to uninstall the app, the uninstall process does not remove the data model or the analytic scoring workflow from QRadar.

QRadar continues to apply the analytics scoring workflow to each flow even when the app is not installed. Future installations of the app do not work correctly because stale data models prevent QRadar from calculating the analytics scores correctly. 

Steps

Follow these steps to remove the stale data models from the system and remove the analytics scoring workflow from QRadar.
  1. Download and extract the attached uninstallNBA1-v1.0.1.py script.
  2. Transfer the script to a system that has network access to the QRadar console. The system must be capable of running python.

    Alternatively, you can copy the script directly to the QRadar Console by using a utility such as scp.

  3. To run the script, type the following command, and use the IP address of the QRadar Console. 
    
python uninstallNBA1-v1.0.1.py <qradar.console.ip.address>
  4. When prompted, enter the administrative credentials for the QRadar Console.
After the script completes, the data models are removed and QRadar stops applying the analytics scoring workflow to incoming flows. 
To re-enable the analytics scoring workflow in QRadar, reinstall the app. The app training process uses current flow records to re-create the data model that is used by QRadar.

Document Location

Worldwide

uninstallNBA1-v1.0.1.zip - checksum: 0c17e27575d13fdbbb87def108ae160dd90344cc (sha1)

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.2;and future releases"}]

Document Information

Modified date:
28 June 2021

UID

ibm16437275

Page Feedback