IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Property getting extracted in DSM Editor but not in the Log Activity

  • 1.  Property getting extracted in DSM Editor but not in the Log Activity

    Posted Mon June 07, 2021 02:22 PM

    We are receiving an event with the below payload. All the keys are getting extracted from the event except "value"(i.e IOC value).

    When we open the same event in the DSM editor it is getting extracted properly. We also checked that JSON is valid.

    json={"value": "http://url/l/5fc15ea15e66c082e33c48babd5a8ff601a799e6/[email\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u00af\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u00bf\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0083\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0083\u00c3\u0082\u00c2\u0082\u00c3\u0083\u00c2\u0082\u00c3\u0082\u00c2\u00bdprotected]url/-/url/cji-bim/", "type": "Urls", "severity": "Low", "score": 22.658227848101266, "lastUpdateDate": "2021-06-06T18:22:53.623Z", "lastSeen": "2021-06-06T11:47:35.000Z", "firstSeen": "2020-06-08T22:09:55.000Z", "relatedMalware": [], "relatedCampaigns": [], "relatedThreatActors": [], "reportedFeeds": [{"id": "587cc9", "name": "PhishTank", "confidenceLevel": 1}], "whitelisted": false, "tags": [], "systemTags": ["Phishing"]}

    Few more IOC values which are not getting extracted in Log Activity but getting extracted in DSM editor:

    http://url/l/5fc15ea15e66c082e33c48babd5a8ff601a799e6/[email\u00c3\u00af\u00c2\u00bf\u00c2\u00bdprotected]url/-/url/cji-bim/jurabc.\u00fabcd.ab/C25_Panel/

    Can anyone help us with this?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Property getting extracted in DSM Editor but not in the Log Activity

    Posted Tue July 20, 2021 03:39 PM

    I'm not sure what version you are on or if this issue still exists for you, but the first payload looks like it was missing a closing curly bracket, which was a known issue in the DSM Editor. Take a look at this issue and see if the payloads are possibly missing closing brackets. A software update was released to resolve this parsing issue for JSON payloads to be more resilient: https://www.ibm.com/community/qradar/home/apars/?IJ25729

    If you are still having issues, I would ensure you get an update to one of the resolved versions, if you haven't already done so. If you upgraded and still experiencing an issue, I would probably get a case opened for support so a representative can review the payloads in detail.



    #QRadar
    #Support
    #SupportMigration


Related Content