IBM TechXchange Security Technology Alliance Program User Group

 View Only

QRadar – Understanding different types of events

By Saket Nimdeokar posted Wed November 13, 2024 05:04 AM

  

INTRODUCTION

This is a part of blog chain wherein we are trying to cover as many important issues faced during creating custom QRadar DSMs. In this blog we are covering different types of events that you will see in QRadar.

When a device sends logs to IBM QRadar or QRadar pulls data from end-points, QRadar parses the events using a Device Support Module (DSM) so that it can fully utilise the normalized/parsed data for further processing. The DSM used depends on the type of device.

Parsing in IBM QRadar means extracting the required information from the event payload with the help of regex, JSON keypath expressions, etc. QID is a unique QRadar identifier and is a numeric representation of a specific event. For example, QID 39750013 is a login failure event. Each QID includes a name, description, severity, low-level category, and high-level category.

TYPES OF EVENTS

There are 4 types of events you will find in IBM QRadar:

  1. Parsed and Mapped
  2. Unknown events
  3. Stored events
  4. SIM-Generic events

Let us look at each of these types in detail:
If you check this type of events in log activity, you will see them as below:

 

1.    Parsed and Mapped Events


When you receive the events, if IBM QRadar is able to extract all the fields from the payload and also map the events with the existing QIDs then we will call this a "parsed and mapped” event.
When this occurs, you should see the event category, event ID, IP, username, etc. extracted and you will see the event name as well based on the event category and the event ID. In this case, the DSM was able to extract both the event ID and the event category and associate them with the respective QID.
For example, if you open the “parsed and mapped” event in the DSM editor, you will see it as below.

 

2. Unknown events

The events where IBM QRadar is able to extract all the fields but cannot locate the QID for that event in the database will be labelled as "unknown events". For unknown events, the DSM is able to extract both the event ID and the event category but is unable to associate them with the QID.For example, if you open the “parsed and mapped” event in DSM editor, you will see it as below

 

3. Stored events

The events will be referred to as "stored" events if they are associated to the log source but cannot be parsed by the appropriate DSM. To be exact, the event will be designated as a "stored" event if the DSM is unable to extract the "event ID" from the payload. For stored events, the DSM is able to extract the event category but is unable to extract the event ID and hence it is unable to associate the event with the QID.

 

4. SIM-Generic events

When IBM QRadar is unable to autodetect a particular log source and no manual log source was created on IBM QRadar for that log source, those events will be tagged to the the SIMGeneric log source. In this case, as the events are not associated with any logsource, none of the existing DSMs are able to extract the event ID and the event category and is unable to associate them with any QID.

NOTE: Unknown and stored events will have their own internal QIDs. Whenever you see the events in the unknown and stored low-level category, you will see the QIDs associated with them.

 

Watch out this space as we will also help explain how to parse and map events using DSM Editor in upcoming blogs.

Meanwhile, you may check:

DSM Editor Documentation - https://www.ibm.com/docs/en/qradar-on-cloud?topic=qradar-dsm-editor-overview

DSM Editor in 10 minutes - https://www.youtube.com/watch?v=KF40bba_kp0&t=29s

- Saket Nimdeokar 
Thanks to Ashish Kothekar for reviewing this blog

0 comments
8 views

Permalink