IBM Security QRadar

Hello

Newbie here....I just got a new log source connected and am trying to get data parsed correctly. I have made headway in data that is one word - userid, device, etc. However I have several attributes that come thru in the payload wtih a _ in the name: process_id, process_path, etc. How so I write the expression so this data is parsed correctly? 

Here are a couple of examples from the payload:



------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------

Hello Jeannie, 
So is the below you want to achieve for example? 

------------------------------
Regards, 고맙습니다.
ByongJun "BJ" Na (나병준)
QRadar Advisor with Watson Ambassador/Security Intelligence Senior CTP
IBM Certified SI Solution Advisor(실장/전문위원), CISSP, IBM Certified ADP
- You solve one problem, and you solve the next one, and then the next.
And if you solve enough problems, you get to come home. - From Martian -
Phone: 822-3781-4843 | Mobile: 82-10-4995-4843
E-mail: bjna@kr.ibm.com
------------------------------

Original Message:
Sent: Wed November 30, 2022 06:27 PM
From: Jeannie Burrell
Subject: DSM Editory - How to Write Expression when there is an '_' in the attribute name in the payload

Hello

Newbie here....I just got a new log source connected and am trying to get data parsed correctly. I have made headway in data that is one word - userid, device, etc. However I have several attributes that come thru in the payload wtih a _ in the name: process_id, process_path, etc. How so I write the expression so this data is parsed correctly? 

Here are a couple of examples from the payload:

"process_id":36396,"parent_process_id":36084,

Thanks!

Jeannie

------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------

This is exactly what I was looking for. Thank you so much!

Have a great day!

Jeannie

------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------

Original Message:
Sent: Wed November 30, 2022 08:32 PM
From: ByongJun NA
Subject: DSM Editory - How to Write Expression when there is an '_' in the attribute name in the payload

Hello Jeannie, 
So is the below you want to achieve for example? 

------------------------------
Regards, 고맙습니다.
ByongJun "BJ" Na (나병준)
QRadar Advisor with Watson Ambassador/Security Intelligence Senior CTP
IBM Certified SI Solution Advisor(실장/전문위원), CISSP, IBM Certified ADP
- You solve one problem, and you solve the next one, and then the next.
And if you solve enough problems, you get to come home. - From Martian -
Phone: 822-3781-4843 | Mobile: 82-10-4995-4843
E-mail: bjna@kr.ibm.com

Original Message:
Sent: Wed November 30, 2022 06:27 PM
From: Jeannie Burrell
Subject: DSM Editory - How to Write Expression when there is an '_' in the attribute name in the payload

Hello

Newbie here....I just got a new log source connected and am trying to get data parsed correctly. I have made headway in data that is one word - userid, device, etc. However I have several attributes that come thru in the payload wtih a _ in the name: process_id, process_path, etc. How so I write the expression so this data is parsed correctly? 

Here are a couple of examples from the payload:

"process_id":36396,"parent_process_id":36084,

Thanks!

Jeannie

------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------