Hello All,

I am trying to extract a few properties from events reported under SIM Audit. However, when opening the DSM Editor, there is no option to select SIM Audit as a log source type.

Is there an alternative way to extract properties from internal log sources such as SIM Audit?

Thanks.

I was also trying to do this because some things are improperly parsed by the default property extraction. Unfortunately, none of my attempts were successful. There's probably some hacky way to do it, but such a method of course would be unsupported and likely breaches some legal agreement.

The way I "got around" the problem was to perform Ariel searches using the API via python script for each QID I cared about, parse them manually (again in python), and output results in a custom internal dashboard. You could probably request that IBM improve the property extraction for SIM Audit, but I wouldn't put much stock in them actually doing anything about it (think about how the DSM editor still does not have a resizable window).

It is possible to create Custom Properties for any log source, including internal ones like Sim Audit. 
https://www.ibm.com/docs/en/qradar-on-cloud?topic=editor-creating-custom-property

Yes, modifying the parsing behavior of system internal log sources is not supported via the DSM Editor. However, extracting properties is certainly supported - i.e. just open a SIM Audit event in event viewer and click Extract Property, which will open the CEP definition screen.