Question & Answer
Question
Is it Normal In the QRadar 'Custom Event Properties' panel, to have duplicates default custom event properties, with the same Property Name, and apply to the same log source type?
Answer
This is normal behavior. Although two or more custom properties of a particular log source type may have the same name, they might differ in Regex string used, event name or category that they apply to.
For example, there are three custom properties for the Microsoft Security Event log named ObjectName. They are each unique and apply in different cases:
One custom property applies only to the event name A new process has been created (QID 5000862).
It has the regex string:
Two custom properties have the same Regex string
One applies to all events (High Level Category Any, Low Level Category Any), while the second applies only to the Event Name Object Opened Successfully (QID 5000026).
For example, there are three custom properties for the Microsoft Security Event log named ObjectName. They are each unique and apply in different cases:
One custom property applies only to the event name A new process has been created (QID 5000862).
It has the regex string:
New Process Name: (.*?) Two custom properties have the same Regex string
Object Name: (.*?)One applies to all events (High Level Category Any, Low Level Category Any), while the second applies only to the Event Name Object Opened Successfully (QID 5000026).
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
24 April 2024
UID
swg21682459