Hi Michail,
In QRadar version 7.4.3 we have changed AQL custom properties to work the same way as extraction properties, with the same set of filtering capabilities. It is not possible to limit them in this way in older versions of QRadar.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Tue June 08, 2021 10:08 AM
From: Michail Christof
Subject: AQL-Custom Properties (REFERENCEMAP)
Dear Community,
I have an issue with AQL-Custom Properties.
For example I created a Custom Property with REFERENCEMAP('Reference Map',"Custom Property") to map values from another Custom Property.
The issue that I faced is that the AQL Custom Property appeared in every event(with "null" value) and I cannot configured it to appear in events from a specific log source type.
Any Ideas?
Best Regards,
Michail
------------------------------
Michail Christof
------------------------------