IBM QRadar

IBM QRadar

Join this online topic group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Conditional Mapping Unknown Event ID in DSM

    Posted Wed June 15, 2022 10:04 AM
    Is there a way to do conditional mapping in a DSM?  If I have event id's coming in as Unknown because the payload does not have it in the header, am I able to create a condition from another field to map them? For instance, there is another field which shows logtype.  So can I enter something that says if event id = unknown and logtype = URL map to URL QID event?

    ------------------------------
    Gina Wesley
    ------------------------------


  • 2.  RE: Conditional Mapping Unknown Event ID in DSM

    Posted Mon July 25, 2022 11:24 AM

    Hope you have already found way to do this. 

    To answer your query, for mapping, Event ID and category are required to create QID. so in this case, you can choose fields which are unique let's say event category =  field which shows logtype and event ID would be some other unique field.

    once you parse , these fields will be used to create QID

    Hope this helps!



    ------------------------------
    [Ashish] [Khandewale] [Security Consultant]
    [SIOC]
    [IBM Canada]
    ------------------------------



Related Content