Discovering unknown events

As your device forwards events to IBM QRadar, it can take time to categorize all of the events from a device, because some events might not be generated immediately by the event source appliance or software.

About this task

It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, you can repeat this search until you are happy that most of your Universal LEEF events are identified.

Procedure

  1. Log in to QRadar.
  2. Click the Log Activity tab.
  3. Click Add Filter.
  4. From the first list, select Log Source.
  5. From the Log Source Group list, select the log source group or Other.

    Log sources that are not assigned to a group are categorized as Other.

  6. From the Log Source list, select your Universal LEEF log source.
  7. Click Add Filter.

    The Log Activity tab is displayed with a filter for your Universal LEEF DSM.

  8. From the View list, select Last Hour.

    Any events that are generated by your Universal LEEF DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in QRadar.

    Note: You can save your existing search filter by clicking Save Criteria.

    You are now ready to modify the event map for your Universal LEEF DSM.