IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Events categorised as unknown despite parsing/mapping in DSM editor and being mapped via Log Activity

  • 1.  Events categorised as unknown despite parsing/mapping in DSM editor and being mapped via Log Activity

    Posted Thu April 04, 2024 10:23 AM

    Hi All,

    We have a 7.5.0UP4 deployment with Cisco Firepower Threat Detection log sources that are using the latest DSM (7.5.0-QRADAR-DSM-CiscoFirepowerThreatDefense-7.5-20230613074225.noarch.rpm).

    Unfortunately, these are not mapping some snort events such as 129:15, 119:32, 119:201, 119:206.

    To fix, we have added new QIDs using the DSM editor and event payloads are now showing as "parsed and mapped", with expected event name, category and QID.

    The new QIDs were also mapped to events via Log Activity > Map Event, as described in Part 2 of the following guide: https://www.ibm.com/support/pages/qradar-events-mapped-dsm-editor-displays-status-unknown-log-activity.

    However, new events continue to feed in as 'unknown snort event' and are categorised as unknown.

    Does anyone in the community have any suggestions on how best to troubleshoot or fix this?

    Kind regards,

    K.



    ------------------------------
    Karl K
    ------------------------------


  • 2.  RE: Events categorised as unknown despite parsing/mapping in DSM editor and being mapped via Log Activity

    Posted Wed April 10, 2024 05:26 AM

    Hi Karl,

    I would recommend to open a support case for this

    https://www.ibm.com/support/pages/qradar-how-open-and-manage-cases

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


Related Content