How To
Summary
This document contains a step by step on how to edit the DSM configuration parameter in the DSM Editor from the QRadar API.
Objective
The purpose of this guide is to explain how to edit the DSM Parameters Configuration in the DSM Editor from the QRadar API for a specific DSM Type.
Parameter examples are:
- Enable XML Level Tag For XML Application events
- Parse Snare Service Logs
This configuration can be seen in the user interface in the DSM Editor, under the Configuration tab:
Note: The DSM parameters vary depending on the DSM log source type. For example, the parameters for Windows Security Event Log are not the same than Linux OS.
Steps
- SSH to the QRadar console as an admin.
- Get the DSM type ID. Find the DSM ID for the log source type by using the following command, replace <log_source_type> with the log source type name, or just part of the name:
Example of the command used to find the DSM ID for the Windows Security Log Source Type, the ID is 12.psql -U qradar -c "select id,devicetypename,devicetypedescription from sensordevicetype where devicetypedescription ILIKE '%<log_source_type>%';"psql -U qradar -c "select id,devicetypename,devicetypedescription from sensordevicetype where devicetypedescription ILIKE '%Windows Security%';" id | devicetypename | devicetypedescription ----+-------------------+-------------------------------------- 12 | WindowsAuthServer | Microsoft Windows Security Event Log (1 row) - Access the QRadar API interface. Log in to the QRadar console through the user interface, then click Interactive API for Developers:
- Click config, then select event_sources, click log_source_management, in this section click log_source_types:
- In this section, select dsm_parameter_configuration, then click dsm_parameters.
- Click GET.
- Scroll down, then click the Try It Out! Button.
- In the response body, the API returns all the properties and its definitions. Search for the parameter to be edited, use Ctrl + f, for this example, the parameter is "Enable XML Level Tag For XML Application events". Copy the ID's and the event_collector_id:
Note: The parameter in this moment is disabled: "value": "false". - Having both IDs and the event collector ID, click PATCH.
- Scroll down to Parameters Fields.
- For the value field in the dsm_parameters, paste the new settings in this format:
Note: Each property has a definition number (first ID), the property ID (second ID), and collector ID (-1 is for the default collector ID).
For example:{ "dsm_parameter_definition_id": <first ID>, "event_collector_id": -1, "id": <second ID>, sensor_device_type_id": <DSM ID>, "value": "<true/false>" }
If more than one property needs to be edited, put all the properties in the same line with each set separated for curly brackets.{ "dsm_parameter_definition_id": 12080, "event_collector_id": -1, "id": 17, sensor_device_type_id": 12, "value": "true" }
The following line is an example of three properties being changed at the same time:{"dsm_parameter_definition_id": 12023,"event_collector_id": -1,"id": 2357,"sensor_device_type_id": 12,"value": "true"}{"dsm_parameter_definition_id": 12060,"event_collector_id": -1,"id": 7,"sensor_device_type_id": 12,"value": "true"}{"dsm_parameter_definition_id": 12040,"event_collector_id": -1,"id": 5,"sensor_device_type_id": 12,"value": "Include System User With No Identity"}
Result
The Enable XML Level Tag For XML Application events is enabled. Check this configuration on the DSM Editor:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
20 December 2022
UID
ibm16838283