Global Security Forum

 View Only
  • 1.  AQL-Custom Properties (REFERENCEMAP)

    Posted Tue June 08, 2021 10:09 AM

    Dear Community,

    I have an issue with AQL-Custom Properties.
    For example I created a Custom Property with REFERENCEMAP('Reference Map',"Custom Property") to map values from another Custom Property.


    The issue that I faced is that the AQL Custom Property appeared in every event(with "null" value) and I cannot configured it to appear in events from a specific log source type.

    Any Ideas?

     

    Best Regards,
    Michail



    ------------------------------
    Michail Christof
    ------------------------------


  • 2.  RE: AQL-Custom Properties (REFERENCEMAP)

    Posted Wed June 09, 2021 01:38 PM
    Hi Michail,

    In QRadar version 7.4.3 we have changed AQL custom properties to work the same way as extraction properties, with the same set of filtering capabilities. It is not possible to limit them in this way in older versions of QRadar.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 3.  RE: AQL-Custom Properties (REFERENCEMAP)

    Posted Thu June 10, 2021 03:22 AM

    Thank you Colin for your answer.

    We will check it again after we made the upgrade.

     

    Best Regards,

    Michail



    ------------------------------
    Michail Christof
    ------------------------------