Configuring QRadar to use previous connection event processing for Cisco Firepower Threat Defense

If you want to change the way that IBM QRadar parses connection events an enable earlier behavior without adding action results, use the DSM Editor to enable previous connection event processing.

By default, Cisco Firepower Threat Defense connection events are extended with firewall action results ALLOW or BLOCK.

Procedure

  1. On the Admin tab, in the Data Sources section, click DSM Editor.
  2. From the Select Log Source Type window, select Cisco Firepower Threat Defense from the list, and then click Select.
  3. Click the Configuration tab, and then set Display DSM Parameters Configuration to on.
  4. Set Use Previous Connection Event Processing to on.
  5. Click Save.