Data is not sent for analysis
If your data is not being sent for analysis, you can verify that your properties are mapped and parsed correctly. You can also verify how your offenses are indexed.
If your data is not being sent for analysis, you can:
- Verify that the property that holds your IP addresses, URLs, domains, and file hashes are mapped to the correct canonical type. You can map your properties in the Property Mapping section of the QRadar® Advisor with Watson™ Configuration page.
- Verify that the property is parsing properly. For example, if you created a custom property that is called MyFileHash that parses hashes out of your anti-virus logs, and you configured it in the QRadar Advisor with Watson app property mapping section, you can check an anti-virus event that you expect MyFileHash to parse hashes out of and then verify that it is being parsed out of the payload correctly.
- Check how your offense is indexed. For offenses indexed by source or destination IP, QRadar Advisor with Watson app mines for data activity that is surrounding the offense and that is attached to the offense. For other types of offense indexes, the QRadar Advisor with Watson app mines only events or flows that are attached directly to the offense.