IBM Security QRadar

 View Only
Expand all | Collapse all

Office365 - Override username parsing for specific QID

  • 1.  Office365 - Override username parsing for specific QID

    Posted Thu October 08, 2020 07:39 PM
    Hello guys

    Recently, I started to check O365 ThreatIntel logs associated to the eventID TIMaiData. Analyzing these particular events I have found that all events relate to the ThreatIntel user from O365 module. I want to override the username parsed for these particular events to get the source e-mail address but the only way I have found is trying to override an identity field before.

    What do you suggest to achive this? I want to avoid the creation of a new custom property and recreate rules for that


    Regards,



    ------------------------------
    Andres Arguelles
    ------------------------------


  • 2.  RE: Office365 - Override username parsing for specific QID

    Posted Fri October 09, 2020 01:12 PM
    Hi Andres,

    If your goal is to change how the Username property is set, you can do this in the DSM Editor, but override the "Username" property, not one of the Identity fields. To ensure the override only applies to that one Event ID, incorporate the "TIMaiData" string into your regex. If it occurs before the source email field, include:


    TIMaiData.*?

    before the regex you're using to capture the email address. If it occurs after the email address field, include this after the regex you;re using:

    .*?TImaiData

    This will ensure the override regex only applies when that Event ID is present; other events will use the original Username value parsed by the default DSM behaviour.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------