Custom event properties in the QRadar DNS Analyzer app

Custom event properties are used to extract values from event payloads for non-normalized fields in QRadar. By default, QRadar normalizes data from the event payload and populates the user interface with standard event information. The event information, including user names, source IP, destination IP, and ports, is parsed by the Device Support Modules (DSM).

The following workflow describes how custom event properties are processed in IBM® QRadar DNS Analyzer app:
  1. IBM QRadar DSM parses the url custom event property.
  2. The QRadar DNS Analyzer app ingests domain names from the url custom event property output by the IBM QRadar core.
Note: For information on the support for URL custom event properties, see technote #2017144 (