IBM QRadar

Hello

I have event logs coming in from VersaAnalytics that are in the form of the following:

2020-07-14T21:38:42+0000 flowIdLog, applianceName=USWOOD001-1-v120-2, tenantName=bio-rad, flowId=1107943560, flowCookie=1594774332, sourceIPv4Address=10.17.37.232, destinationIPv4Address=216.58.194.202, sourcePort=49312, destinationPort=443, tenantId=2, vsnId=0, applianceId=1, ingressInterfaceName=vni-0/3.101, egressInterfaceName=tvi-0/10.0, fromCountry=, toCountry=United States, protocolIdentifier=17, fromZone=ZEN-INET2-xConnect-Zone, fromUser=Unknown, toZone=ZEN1-INET2-ZONE, icmpTypeIPv4=0

Using the DSM editor I can create a new log source for these events and begin to create system overrides for SourceIP, SrcPort, DestinationIP, and DstPort. This part is straight forward and within the DSM editor the data is properly parsed.

I save the edits and close the DSM editor screen. The new log source has been created and the log source extensions for overrides have been applied as well.

Starting a new search and selecting the newly created log source however show no changes. The events still contain the upstream address in the both the source and destination IP fields of the sending server as if the overrides have not been applied or are being ignored.

This is for a 7.3.3 (Build 20191031163225) build all in one siem.

Regards

Tim W

I have a similar issue, I make DSM changes, Event Mappings, and rule changes and they do not apply unless I preform a "Deploy Full Configuration".

I have reported this to support and they have escalated to Dev.

Same issue here for Linux OS. Username is correct in the DSM but events still show the wrong data for Username. Deploy Full Configuration did not correct this for me