Configuring event mapping for Universal CEF events

Universal CEF events do not contain a predefined QRadar® Identifier (QID) map to categorize security events. You must search for unknown events from the Universal CEF log source and map them to high and low-level categories.

Before you begin

Ensure that you installed the Universal CEF DSM and added log source for it in QRadar.

About this task

By default, the Universal CEF DSM categorizes all events as unknown. All Universal CEF events display a value of unknown in the Event Name and Low Level Category columns on the Log Activity tab. You must modify the QID map to individually map each event for your device to an event category in QRadar. Mapping events allows QRadar to identify, coalesce, and track events from your network devices.

For more information about event mapping, see the IBM QRadar User Guide.

Procedure

  1. Log in to QRadar.
  2. Click the Log Activity tab.
  3. Click Add Filter.
  4. From the first list, select Log Source.
  5. From the Log Source Group list, select Other.
  6. From the Log Source list, select your Universal CEF log source.
  7. Click Add Filter.
  8. From the View list, select Last Hour.
  9. Optional: Click Save Criteria to save your existing search filter.
  10. On the Event Name column, double-click an unknown event for your Universal CEF DSM.
  11. Click Map Event.
  12. From the Browse for QID pane, select any of the following search options to narrow the event categories for a QRadar Identifier (QID):
    • From the High-Level Category list, select a high-level event category. For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the IBM QRadar Administration Guide.
    • From the Low-Level Category list, select a low-level event category.
    • From the Log Source Type list, select a log source type.
      Tip: Searching for QIDs by log source is useful when the events from your Universal CEF DSM are similar to another existing network device. For example, if your Universal CEF provides firewall events, you might select Cisco ASA, as another firewall product that likely captures similar events.
    • To search for a QID by name, type a name in the QID/Name field.
  13. Click Search.
  14. Select the QID that you want to associate to your unknown Universal CEF DSM event and click OK.