QRadar: Can Coalescing with a Log Source Extension be based on Custom Properties

Question & Answer

Question

Can the Coalescing process be based on Properties other than Source IP, Destination IP, Destination Port, UserName, and Event ID?

Cause

Trying to Coalesce Events on values other than the accepted defaults normally used.

Answer

Coalescing is based on a key made up of five properties:

Source IP
Destination IP
Destination Port
UserName
Event ID

There is no mechanism available to modify this behavior.

All of the values, which are listed, can be extracted by a Log Source Extension. Alternatively, a selection can be made in the Log Source Extension to replace any of the key coalescing fields of SourceIP, DestinationIP, DestinationPort, UserName, EventName, or EventCategory.

Overriding any of these values to force coalescing to be performed on an alternative value, would have the impact of setting that value for the normalized value. This is likely to invalidate processing later on in the Event pipeline.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Can Coalescing with a Log Source Extension be based on Custom Properties

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?