QRadar XDR

  • 1.  Universal DSM parsing error

    Posted Wed August 04, 2021 12:01 PM
    Hello all,
    I am integrating MS cloud app security with QRadar and used universal DSM and cloud REST api. I am getting the logs in QRadar but they are not parsed. I tried to parse them in DSM editor and successfully parsed most of those logs. The problem is when I open events in DSM editor, I can see all my custom extracted properties there but when I open event in log activity, my custom extracted properties don't show up there. What should I do to see custom properties in log activity events.

    Thanks in Advance,

    ------------------------------
    Abdul Rahman
    ------------------------------


  • 2.  RE: Universal DSM parsing error

    Posted Thu August 05, 2021 05:44 AM
    Anyone who can guide, please?

    ------------------------------
    Abdul Rahman
    ------------------------------



  • 3.  RE: Universal DSM parsing error

    Posted Thu August 05, 2021 08:21 AM
    Edited by Andres Parada Thu August 05, 2021 04:32 PM
    Hi Abdulrahman, 
    In Log Source settings, try remove the log source extension. I mean, select to use none of the log source extension


    ------------------------------


  • 4.  RE: Universal DSM parsing error

    Posted Fri August 06, 2021 02:19 AM
    Also, could be that ur EventID not parsed yet

    ------------------------------
    Mohd Mukrim Che Mohamad Zulkifly
    ------------------------------