IBM Security QRadar

Expand all | Collapse all

new to qradar

  • 1.  new to qradar

    Posted Thu October 10, 2019 09:21 AM
    what is event id and qid ,
    i tried to understood by searching on the web,
    but didn't encountered with beginner's intuitive answer.

    ------------------------------
    daniel benisti
    ------------------------------


  • 2.  RE: new to qradar

    Posted Thu October 10, 2019 11:01 AM
    QID is the QRadar Identification Number that applied uniquely to an
    event name for a device type. EventID usually refers specifically to
    Windows Event Logs Event ID number as a custom property.




  • 3.  RE: new to qradar

    Posted Thu October 10, 2019 11:51 AM
    Have you taken a look at the QRadar 101 pages? This might be able to help you.

    ------------------------------
    Wendy Batten
    Community Manager
    IBM Security
    Cambridge MA
    ------------------------------



  • 4.  RE: new to qradar

    Posted Sat October 12, 2019 11:14 AM
    Thank you so much for the resource!

    ------------------------------
    daniel benisti
    ------------------------------



  • 5.  RE: new to qradar

    Posted Fri October 11, 2019 03:18 AM
    ​Each system has its own structure with event ids.

    For example if you log in the windows event viewer you can see a lot of messages
    Because qradar works with all different system, it needs in a database of all known messages.

    Qradar Identifier Database

    in this database each message of all the gathered systems are given a unique number know as qid

    More information about qid
    https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_QID_overview.html


    ------------------------------
    Jan-dirk Prins
    ------------------------------



  • 6.  RE: new to qradar

    Posted Fri October 11, 2019 05:54 AM
    As mentioned, each event in QRadar is mapped to a so called high & low level category - thus an event mapping represents an association between an event ID and category combination and a QID record (referred to as event categorization). Event ID and category values are extracted by DSMs from events and are then used to look up the mapped event categorization or QID. Event categorizations store extra metadata for the event that might not exist in the raw event data (e.g. description), a severity value, or a low level category assignment. See: Event mapping

    ------------------------------
    Dusan VIDOVIC
    ------------------------------