Hello friends,

I have to ask how can i improve SIEM qradar to show good logs when i perform a search. I mean it shows the logs but to see information i must open the log and see the payload. I would like to know how SIEM can be improved to show detailed information when a search is performed.. Is there any way to show the logs like it shows from an Active Directory server? Or is there any way to show custom fields from the payload when a search is performed? Because i want some info like IP, username, and action that was performed by the AV to be shown in the qradar logs so i can make rules to get notified.. 

Thank you

Anyone on this? I really need to solve this so i can get good notifications from the rules..

I hope I understood your question properly and that this will provide some hints...
Your default search / view is configurable - you can remove or add columns based on your preference (columns being your custom properties). 
Also, if it is standard "normalized" search (not grouped), one of the columns can be the Payload. 
The customized search/view can be saved (like any other search) to be used as the default one (double click on "Log activity" would always bring you back to that). Also, you can save the search for your quick re-use under Quick searches (which is could be appropriate to have a different one for different situations and still have them there "handy").
Of course, you do not have to save it - go to Search > Edit search and add/remove the columns (fields=custom properties) as you need it.
BTW, the last part in your question suggests that you might not have the needed custom properties but the content in the log payload exists - so, you would need to extract it yourself (Open event > Extract property > use regex to extract the part you want) - and it could be available for your rules and for searches/reports as "a column" as well.

------------------------------
Dusan VIDOVIC
------------------------------