Configuring QRadar to parse the XML Level tag for application events that are collected from Microsoft Windows Security Event Log

By default, Microsoft Windows Security Event Log does not parse the level tag when it determines the QID for XML formatted application events. If you want to enable parsing of the Level tag for the Microsoft Windows Security Event Log DSM, use the DSM Editor to enable mapping.

Procedure

  1. Click the Admin tab.
  2. In the Data Sources section, click DSM Editor.
  3. From the Select Log Source Type window, select Microsoft Windows Security Event Log from the list, and click Select.
  4. On the Configuration tab, set Display DSM Parameters Configuration to on.
  5. From the Event Collector list, select the event collector for the log source.
  6. Set Enable XML Tag For XML Application events to on.
  7. Click Save and close out the DSM Editor.