New Data Parser Offers Efficient Ways for Data Ingestion in QRadar Suite
Our team has been working diligently on this new functionality and we are proud to announce that the Data Parser is finally available in QRadar Log Insights.
This new functionality allows analysts to customize what and how data is ingested, parsed, normalized and categorized for better use in reporting and analysis.
Data Parser is a visual interface where a user can create and customize the behavior of IBM-provided data parsers or create new parsers for unsupported sources. Customization activity includes configuring parsing behavior for standard properties, defining and categorizing event types and later will be extended to configuration around data source autodetection, property autodetection, event timeout, etc.
The Data Parser can accept sample event for a data source type and display in a "parsing preview" how that data will be normalized so the user can see present behavior before they make changes and see how their configuration changes the result. The Data Parser uses the IBM-provided DSM code modules plus the user-provided config to power the parsing preview.
In brief, Data Parser allows you to:
Allows for the creation of custom data source types to extract data from devices not provided by IBM or its partners.
Customize system properties
Update the extensive list of system properties to parse data when the format is different from the default.
Why Data Parser is Valuable
When it comes to data ingestion, several things make the most difference. With the release of Data Parsers, there are several key advantages:
-
Fast time-to-delivery: focus on threat hunting and not data ingestion. Includes an expanded list of system properties to lessen the need to create custom properties
-
Simple set-up: no need for special training in coding
-
Custom data source types: Create custom data source types to support unique or unsupported data source types. Allows for adding expressions to system properties to cover custom configurations in data sources around common fields
How it works
Navigate to Connections -> Data Parser to access the tool. See the documentation here for details on usage.
Let us know what you think about this functionality and share your comments below.