Question & Answer
Question
When creating custom properties for vendor-specific items, should users try to standardize or normalize the common properties with QRadar?
Answer
Yes. It is a best practice to normalize vendor-specific fields into a common property within QRadar. Whenever a user wants to capture a value from a raw event as a custom property, they should aim to add an expression to an existing property with the same meaning rather than creating a net new one. A customer just getting started could begin by installing this extension from the App Exchange. The app is a means of getting a good baseline of properties that would align with all the various content packs the QRadar content team produced.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS014191046","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 September 2023
UID
ibm17034339