QRadar XDR

  • 1.  Migration to 7.4.3 and Custom Properties

    Posted Mon October 11, 2021 11:21 AM

    Hi Community,

    I've upgraded QRadar to 7.4.3 and noticed that many of my Windows Custom Properties display the value "null"

    I have around 100 rules using Windows Custom Properties like this one

    I searched for an event such as 4624 to see if LogonType was being correctly displayed, but it was not there. I went to Admin -> Custom Event Properties and noticed that this property was disabled.

    This means that my rules were not triggering during this time. I opened a support case and was told that were closing the case because there is an APAR for this:

    What am I supposed to do then? Review each of my 100 rules to see if they were impacted and re-run my tests?

    I also read this article: https://community.ibm.com/community/user/security/blogs/wendy-willner/2021/05/25/qradar-743-custom-event-property-rebaselining

    and read that the IBM CEP were impacted but no warning regarding rules not triggering anymore.

    Thank you in advance




  • 2.  RE: Migration to 7.4.3 and Custom Properties

    Posted Tue October 12, 2021 07:40 AM
    Yes, I have been impacted by that APAR.  Best thing to do is use the Use Case Manager and use the Rules by Custom Properties widget.  You will still have to look at the disabled date to find out which ones to look at of course.  

    I made a rule to alert me when custom properties become disabled.

    Frank Eargle

  • 3.  RE: Migration to 7.4.3 and Custom Properties

    IBM Select
    Posted Wed October 13, 2021 01:55 PM
    @Frank Eagle, what condition did you used to track the custom property disabled?​


  • 4.  RE: Migration to 7.4.3 and Custom Properties

    Posted Wed October 13, 2021 01:59 PM

    You were lucky, just saw one!   QID = 38750097