IBM Security QRadar

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------

forgot to upload the attachment

------------------------------
Stefan Haunß
------------------------------

Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------

Hello,

Here in this case seems like you are forwarding log as syslog format in which it has  JSON embedded, however parser works only on entire log. So it cannot understand as its JSON. 

Incase if you want to use JSON, try changing at source to forward as JSON and should work there by.

Regards,
Venky

------------------------------
Venkatesh Siddi
------------------------------

Original Message:
Sent: Wed May 27, 2020 11:31 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

forgot to upload the attachment

------------------------------
Stefan Haunß

Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------

Hi Venkatesh,

This is actually incorrect. The JSON parser will scan through the event payload to find the beginning of a JSON object (if one is present)and start working from there. It's fine to include a JSON object in a syslog message.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Fri June 12, 2020 04:17 PM
From: Venkatesh Siddi
Subject: json keypath expression not working in qradar 7.4.0

Hello,

Here in this case seems like you are forwarding log as syslog format in which it has  JSON embedded, however parser works only on entire log. So it cannot understand as its JSON. 

Incase if you want to use JSON, try changing at source to forward as JSON and should work there by.

Regards,
Venky

------------------------------
Venkatesh Siddi

Original Message:
Sent: Wed May 27, 2020 11:31 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

forgot to upload the attachment

------------------------------
Stefan Haunß

Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------

Hi Stefan,

This isn't working because you are attempting to combine multiple captured values for a custom property. We do allow multiple references to be combined together (along with literal characters, if desired) for standard properties, like Username, but it's not currently possible to do this with custom properties like AccountDomain. We are working on a product enhancement to allow for this in custom properties too, but it is not yet available.

FYI, this is what the document is referring to when it says this: "Within log source extensions, you can supply and combine together multiple JSON keypaths to give a single result; this convention excludes custom properties"

Note that it is possible to combine multiple extraction property values together with a custom AQL property, if this is something you need to do.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------

Hi @COLIN HAY, is it still not available to combine multiple captured values for a custom property​ ?

------------------------------
Erez Avram
------------------------------

Original Message:
Sent: Mon June 15, 2020 12:13 PM
From: COLIN HAY
Subject: json keypath expression not working in qradar 7.4.0

Hi Stefan,

This isn't working because you are attempting to combine multiple captured values for a custom property. We do allow multiple references to be combined together (along with literal characters, if desired) for standard properties, like Username, but it's not currently possible to do this with custom properties like AccountDomain. We are working on a product enhancement to allow for this in custom properties too, but it is not yet available.

FYI, this is what the document is referring to when it says this: "Within log source extensions, you can supply and combine together multiple JSON keypaths to give a single result; this convention excludes custom properties"

Note that it is possible to combine multiple extraction property values together with a custom AQL property, if this is something you need to do.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------

Hi Erez,

This is still not available for extraction type custom properties, you would need to use an AQL property to combine multiple extraction properties

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed April 21, 2021 11:08 AM
From: Erez Avram
Subject: json keypath expression not working in qradar 7.4.0

Hi @COLIN HAY, is it still not available to combine multiple captured values for a custom property​ ?

------------------------------
Erez Avram

Original Message:
Sent: Mon June 15, 2020 12:13 PM
From: COLIN HAY
Subject: json keypath expression not working in qradar 7.4.0

Hi Stefan,

This isn't working because you are attempting to combine multiple captured values for a custom property. We do allow multiple references to be combined together (along with literal characters, if desired) for standard properties, like Username, but it's not currently possible to do this with custom properties like AccountDomain. We are working on a product enhancement to allow for this in custom properties too, but it is not yet available.

FYI, this is what the document is referring to when it says this: "Within log source extensions, you can supply and combine together multiple JSON keypaths to give a single result; this convention excludes custom properties"

Note that it is possible to combine multiple extraction property values together with a custom AQL property, if this is something you need to do.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Wed May 27, 2020 11:30 AM
From: Stefan Haunß
Subject: json keypath expression not working in qradar 7.4.0

Hello all,

I'm trying to use the example from:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_json_keypath.html

In the attached image one can see that the properties "first_name" and "last_name" are getting highlighted as described on IBM Knowledge Center.

However, by pressing the OK button it says: "The value entered is not a valid expression."

Any ideas? Suggestions?

Thank you,
Stefan

------------------------------
Stefan Haunß
------------------------------