IBM QRadar

Is there a way to do conditional mapping in a DSM?  If I have event id's coming in as Unknown because the payload does not have it in the header, am I able to create a condition from another field to map them? For instance, there is another field which shows logtype.  So can I enter something that says if event id = unknown and logtype = URL map to URL QID event?

------------------------------
Gina Wesley
------------------------------

Hope you have already found way to do this. 

To answer your query, for mapping, Event ID and category are required to create QID. so in this case, you can choose fields which are unique let's say event category =  field which shows logtype and event ID would be some other unique field.

once you parse , these fields will be used to create QID

Hope this helps!

------------------------------
[Ashish] [Khandewale] [Security Consultant]
[SIOC]
[IBM Canada]
------------------------------

Original Message:
Sent: Wed June 15, 2022 09:51 AM
From: Gina Wesley
Subject: Conditional Mapping Unknown Event ID in DSM

Is there a way to do conditional mapping in a DSM?  If I have event id's coming in as Unknown because the payload does not have it in the header, am I able to create a condition from another field to map them? For instance, there is another field which shows logtype.  So can I enter something that says if event id = unknown and logtype = URL map to URL QID event?

------------------------------
Gina Wesley
------------------------------