Global Security Forum

Hi Community,

It is possible to add any custom content(Text) to the payload from Qradar UI.

For example, I want to add "Hostname" or "IP" after time in the payload.

I faced an issue with log source identifier in the Qradar.

Kind Regards,

Michail  

------------------------------
Michail Christof
------------------------------

Michail, if you have a problem with a header, maybe using forwarding destinations and option "Prefix a syslog header if it is missing or invalid" option could help?

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Tue November 16, 2021 09:59 AM
From: Michail Christof
Subject: Add custom content(Text) to the payload from Qradar UI

Hi Community,

It is possible to add any custom content(Text) to the payload from Qradar UI.

For example, I want to add "Hostname" or "IP" after time in the payload.

I faced an issue with log source identifier in the Qradar.

Kind Regards,

Michail  

------------------------------
Michail Christof
------------------------------

In the event payload it is almost always possible to add fields after the payload.  One example is X-Forwarded-For, it is almost always added after the other built in fields in a web servers log.  You will have to custom parse it or extract it via the DSM editor.  Watch the event size though.  UDP syslog is limited by a payload of 1500 bytes or so, TCP can be much larger, but you also have to set the maximum size expected in the QRadar Admin\Setup, do not go over 32K as Ariel doesn't do well with larger payloads.  If you have WAF like F5 you will need a huge payload as the headers and all can be large. 

For flows, I do not think it is possible to add anything.  I'm not sure it would be technically possible for the collection devices to add anything to payloads.  You have to think of it as a PCAP.  There is often metadata available such as QNI adds, but that is different than the flow payload.

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Tue November 16, 2021 09:59 AM
From: Michail Christof
Subject: Add custom content(Text) to the payload from Qradar UI

Hi Community,

It is possible to add any custom content(Text) to the payload from Qradar UI.

For example, I want to add "Hostname" or "IP" after time in the payload.

I faced an issue with log source identifier in the Qradar.

Kind Regards,

Michail  

------------------------------
Michail Christof
------------------------------

Hi! Could you be more specific about what do you mean After time and Qradar UI?
When the Event is normalized, you can change things but if you mean you want to revise the payload once is processed and stored, that is not possible.

------------------------------
Marco Zanchi
------------------------------

Original Message:
Sent: Tue November 16, 2021 09:59 AM
From: Michail Christof
Subject: Add custom content(Text) to the payload from Qradar UI

Hi Community,

It is possible to add any custom content(Text) to the payload from Qradar UI.

For example, I want to add "Hostname" or "IP" after time in the payload.

I faced an issue with log source identifier in the Qradar.

Kind Regards,

Michail  

------------------------------
Michail Christof
------------------------------