By default, all user names in Microsoft
Windows Security Event Log events that end with a dollar
sign ($) are considered as system users and are excluded from event parsing. If you want to change
the way that IBM®
QRadar parses
events, you can use the DSM Editor to include system users.
Procedure
-
Click the Admin tab.
- In the Data Sources section, click DSM
Editor.
- From the Select Log Source Type window, select Windows
Security Event Log from the list, and click Select.
-
On the Configuration tab, set Display DSM Parameters
Configuration to on.
- From the Event Collector list, select the event collector for the
log source.
- If you want usernames that end with a dollar sign ($) to always be considered as
system users, set the System User Criteria parameter value to
Usernames Ending With A Dollar Sign Are Considered As System
Users.
- If you want usernames that end with a dollar sign ($) as system users only when they
match with the computer name, set the System User Criteria parameter value
to Usernames Ending With a Dollar Sign If It Matches Computer Name Are Considered As
System Users.
Tip: A username is considered to match the computer name when the username (excluding
the dollar sign) is equal to the computer name or, if the computer name is a fully-qualified domain
name, the host component of the computer name. Letter case is ignored. For example, if the username
is HOST$ and the computer name is host or
host.example.com, then the username is considered to match the computer
name.
- If you want usernames that end with a dollar sign ($) to never be considered as
system users, set the System User Criteria parameter value to
Usernames Ending With a Dollar Sign Are Not Considered As System Users.
- Click Save and close out the DSM Editor.
Tip: If the Include System User With (No) Identity parameter
value is set to Include System User With No Identity or Include
System User With Identity, all system users are included in parsing, regardless of the
System User Criteria parameter value.