IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

DSM - CEF issue with escaped backslashes

  • 1.  DSM - CEF issue with escaped backslashes

    Posted Thu July 28, 2022 03:29 PM

    Hi,

    we recently discovered that some event properties of a log source were N/A although the payload contained the relevant data and the DSM editor showed that it would extract them. The DSM was built for a CEF-sending log source, using the CEF expression type.

    We found the following:

    * the issue only popped up with payload values containing escaped backslashes

    * the DSM editor showed the extracted CEF value, but unescaped the backslashes when presenting

    * the fix for us was to use the Regex expression type instead

    Anyone else seeing this or did we miss a DSM update? Currently running QRadar 7.50 UpdatePackage 2 + IF01.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: DSM - CEF issue with escaped backslashes

    Posted Fri July 29, 2022 06:29 PM

    I think you should get a case opened for this issue. We've seen this specific problem on custom properties created in the DSM Editor in the past for JSON events. This was addressed in 7.5.0 in APAR IJ16423.

    However, I cannot find anything logged that is specific to backslashes in CEF payloads. This change is likely required in the DSM Editor itself. When users reported that backslash characters in JSON were not parsing as expected, the change was added in the DSM Editor code, not the DSM itself.

    I would open a case with support so we can review this issue and confirm if it needs to be logged for development.



    #QRadar
    #Support
    #SupportMigration


Related Content