IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Parsing multiple values with the same key name

    Posted Sun May 04, 2025 03:36 AM

    Hi,

    Is there a way how to parse multiple values if the key has always the same name?

    For example from the log for Checkpoint content awareness, where is multiple fname= keys.

    I am able to create custom property with regex which parse all of these in one take, but I would like to have them separated so Qradar can work with each of them separately.

    LOG:

    LEEF:2.0|Check Point|Content Awareness|1.0|Accept|devTime=2589654136  proto=HTTP      usrName=John Doe (jdoe)   cat=Content Awareness   fname=concrt140_app.dll      fname=msvcp140_1_app.dll     fname=msvcp140_2_app.dll     fname=msvcp140_app.dll      fname=msvcp140_atomic_wait_app.dll fname=msvcp140_codecvt_ids_app.dll      fname=vcamp140_app.dll  fname=vccorlib140_app.dll    fname=vcomp140_app.dll      fname=vcruntime140_app.dll   file_type=Executable 

    Regards

    T



    ------------------------------
    tysa
    ------------------------------


  • 2.  RE: Parsing multiple values with the same key name

    Posted Mon May 05, 2025 02:27 AM

    Hello,

    I have opened Enhancement Request / Idea 
    https://ideas.ibm.com/ideas/SIEMCORE-I-3927
    for this functionality. 
    You can vote for its implementation on the Ideas Portal.
    Peter Wenzl, IBM TEL-S



    ------------------------------
    Peter Wenzl
    ------------------------------