IBM QRadar

 View Only

 Best way to extend existing parsing of built-in attribute

Reinhard Westerholt's profile image
Reinhard Westerholt posted Wed May 20, 2026 02:38 AM

Hi everyone, 

I’m analyzing a Windows Security Event Log in QRadar that includes a username value in the payload.       

The issue is that this value is not parsed into the builtin Username attribute, even though the field clearly exists in the event.   

I know I could modify the DSM to extract it, but that would mean overriding the default system behavior. Since the DSM logic isn’t fully visible, I can’t assess the impact or potential side effects of such an override.   

Creating a Custom Property works, but it doesn’t allow me to populate the builtin Username attribute, which is required for correlation and searches.   

Is there a supported method to extend the existing parsing so that this username value is mapped into the builtin Username attribute without replacing the DSM logic? 

Thanks in advance! 

Kind Regards,

Reinhard

Frank Eargle's profile image
Frank Eargle posted Thu May 21, 2026 08:16 AM

You should export the raw event (xml all fields) and take a screenshot of the issue.  Send that into support.  They will give you some grief and ask a lot of questions.  Then they will open a ticket with development and the content people.  Its a lot of hastle, but it gets it fixed for all of us.  We are having similar issues with the content folks on various Azure services, the worse of which is Defender.  Many properties are defined, but many do not parse correctly.  They had us drop back to the previous defender content pack. Same issue with the Azure platform DSM which also handles WAF events..  Very poorly.  

Its hard for any of the SIEM vendors to keep up with all the changes all the vendors make to all the products.  When Micro$loth duplicated windows event ID's it gave me a FIT years ago..  IBM compensated, but what idiot decided to use the same windows event ID for multiple different systems and event meanings..  

Anushka Gulave's profile image
Anushka Gulave posted Fri May 22, 2026 11:10 PM

Hello
If the event is in supported format https://www.ibm.com/docs/en/dsm?topic=mwsel-microsoft-windows-security-event-log-sample-event-messages , then you can open a case with IBM support and need to share below details

—> Log source configuration screenshot of all tabs(overview,protocol,test)

—> get_logs from the Qradar Console and affected managed host (EC/EP) where this specific log source connects to (follow 1a or 1b)

https://www.ibm.com/support/pages/getting-help-what-information-should-be-submitted-qradar-service-request
—> Share the full XML export of events going into unknown category.

https://www.ibm.com/docs/en/qradar-on-cloud?topic=investigation-exporting-events

In the below links you’ll find a chart with the Manufacturer, Device Name and version, protocol and recorded event types supported by QRadar, as well as the QRadar DSM configuration guide.

QRadar Supported DSMs: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/r_supported_dsm_list.html

QRadar DSM configuration Guide: https://www.ibm.com/docs/en/SS42VS_DSM/pdf/b_dsm_guide.pdf

If the device Manufacturer and/or model is not listed in the above documents then is not officially supported, however you have the following options.

Take reference from following tech note

https://community.ibm.com/community/user/security/blogs/vishal-tangadkar/2024/01/30/integrating-unsupported-log-source-with-ibm-qradar

Configure and use a Custom DSM (UDSM):

Write a log source extension to parse events for your device. For more information, see Log source extensions and the DSM Editor.

You can use content extensions for sending events to QRadar that are provided by some third-party vendors.

They can be found on the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/). These third-party DSM integrations are supported by the vendor, not by IBM.

  • NOTE: any integration or parsing issue that might be encounter are out of the IBM Support scope.

Thanks and Regards,
Anushka
IBM QRadar Support 

Vaishnavi Mangalarap's profile image
Vaishnavi Mangalarap posted Mon May 25, 2026 05:32 AM

Hello, Reinhard.

I would not suggest modifying any IBM-supported DSM to parse the username. It will be better to raise a case with IBM support; we will help you to check the event payload in our lab to verify the built-in attribute to parse the username. 

While you open the case with Support, please attach the get_logs from the console and collect the event payload in XML format with all columns. 
https://www.ibm.com/docs/en/qsip/7.5.0?topic=management-collecting-log-files
https://www.ibm.com/docs/en/qradar-on-cloud?topic=investigation-exporting-events
 
Regards,
Vaishnavi

Reinhard Westerholt's profile image
Reinhard Westerholt posted Wed May 27, 2026 02:56 AM

Thanks for the information! I'll try my luck by opening a support ticket.

Prashant Dodke's profile image
Prashant Dodke posted Wed May 27, 2026 05:32 AM

Hello Reinhard,

What you are describing is a common limitation in QRadar DSM handling.

Unfortunately, there is no supported way to extend the default DSM parsing logic to populate the built-in Username attribute without modifying or overriding the DSM itself.

Supported Options

  1. Create a Custom Property
    • Safest and fully supported
    • Recommended if correlation rules can be adapted to use the custom property
  2. DSM Override / Extension
    • The only method to map the value into the built-in Username field
    • Should be tested carefully
    • May require maintenance after DSM updates
  3. Use Custom Rules/Reference Sets
    • Sometimes, correlations can be redesigned to use the custom property instead of the normalised Username field

But I would recommend you to open a support case to investigate the issue

Regards,

Prashant D.

Related Content