Configuring QRadar® to collect only the first username from the alert

If you want to change the way that IBM QRadar processes IBM Security QRadar EDR events, use the DSM Editor to collect only the first username from the alert.

By default, the QRadar EDR DSM collects all usernames from the alert, combines them into a comma-separated list and places them in the username field.

Procedure

  1. On the Admin tab, in the Data Sources section, click DSM Editor.
  2. From the Select Log Source Type window, select IBM Security QRadar EDR from the list, and click Select.
  3. On the Configuration tab, set Display DSM Parameters Configuration to on.
  4. From the Event Collector list, select the event collector for the log source.
  5. Set Get First Username to on.
  6. Click Save and close the DSM Editor.