IBM QRadar

Hi team,

I have discovered that at some events, event mapping is not applied at Universal DSM. We have compared mapped and unmapped events, there was no difference. 

Also, map event button is not clickable on those events. We are not allowed to change the DSM of the log source.

Do you have any solution of these problems? Did you encountered this kind of trouble?

Thank you in advance for your opinion.

Regards.

Halil,

this is normal QRadar behaviour. Events are always the same and stay unmodified. However they are processed depending on their logsource definition. This depends on if the logsource was autodetected or not. Mapping of events-ids to QIDs is based on there categorization (Event-ID/LLC/HLC) by the DSM assigned. If an event gets grabbed by Universal DSM (aka "stored") categorization is "unknown". 1st thing to do is adding a logsource for the datasource if its not created automatically by QRadar. Stored events processed by Universal DSM cannot be mapped via QIDmap dialogue by design. However if you assign a DSM of your own. If doing so, you are able to run the QIDmap function and it will be enabled on those events being not yet categorized. An alternative is to use DSMedit to program a DSM that for your own events. Why are you not allowed to change the Universal DSM to anything meaningful? Are you using Universal DSM togehter with LSX? I so you can extend it on order to map your event IDs. If not please explain if your admin rights are limited.

BR, Karl

Hi team,

I have discovered that at some events, event mapping is not applied at Universal DSM. We have compared mapped and unmapped events, there was no difference. 

Also, map event button is not clickable on those events. We are not allowed to change the DSM of the log source.

Do you have any solution of these problems? Did you encountered this kind of trouble?

Thank you in advance for your opinion.

Regards.

Hi Karl, 

I think some parts of my message is missing. Let me clarify myself.

I have added 2 jdbc log source on my QRadar as Universal DSM log source type. They are both have the same type of event style. I have parsed the event id from dsm editor for both. While one Log Source's all events mapped, the other log source's events are not mapped at 1/10 rate. I mean, at the second log source we see almost 1800 events mapped, but 200 events are seen as Universal DSM Message.

By the way, I mapped all events to one custom event, for your information.

Regards. 

Halil,

this is normal QRadar behaviour. Events are always the same and stay unmodified. However they are processed depending on their logsource definition. This depends on if the logsource was autodetected or not. Mapping of events-ids to QIDs is based on there categorization (Event-ID/LLC/HLC) by the DSM assigned. If an event gets grabbed by Universal DSM (aka "stored") categorization is "unknown". 1st thing to do is adding a logsource for the datasource if its not created automatically by QRadar. Stored events processed by Universal DSM cannot be mapped via QIDmap dialogue by design. However if you assign a DSM of your own. If doing so, you are able to run the QIDmap function and it will be enabled on those events being not yet categorized. An alternative is to use DSMedit to program a DSM that for your own events. Why are you not allowed to change the Universal DSM to anything meaningful? Are you using Universal DSM togehter with LSX? I so you can extend it on order to map your event IDs. If not please explain if your admin rights are limited.

BR, Karl

Hi team,

I have discovered that at some events, event mapping is not applied at Universal DSM. We have compared mapped and unmapped events, there was no difference. 

Also, map event button is not clickable on those events. We are not allowed to change the DSM of the log source.

Do you have any solution of these problems? Did you encountered this kind of trouble?

Thank you in advance for your opinion.

Regards.