QRadar comes with several hundred reports built-in by default. Many of the built-in reports will work as expected the first time they are run. Others may produce an output that needs to be adjusted slightly to filter out unnecessary data. Administrators may need to tune these reports to fit their specific environment. For example, you may run a report on user logins to a server with compliance requirements and find the report includes the valid data that is of interest as well as several service accounts that are known and should be excluded from the report output. The report will need to be adjusted to remove the service accounts so only valid data is output.
QRadar uses saved search output as the basis for creating report charts and tables. When configuring new reports the administrator will use the report configuration menu to select previously saved searches to include as a chart or graph in the report. When updating an existing report, the previously used search should be used as a template. By opening the previously created template, the update will take less time and ensure predictable results. Read more