Viewing event details

You can view a list of events in various modes, including streaming mode or in event groups. In whichever mode you choose to view events, you can locate and view the details of a single event.

The event details page provides the following information:
Table 1. Event details
Parameter Description
Event Name Specifies the normalized name of the event.
Low Level Category Specifies the low-level category of this event.

For more information about categories, see the IBM® QRadar Administration Guide.

Event Description Specifies a description of the event, if available.
Magnitude Specifies the magnitude of this event. For more information about magnitude, see the Glossary (http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/r_qradar_product_glossary.html).
Relevance Specifies the relevance of this event. For more information about relevance, see the Glossary (http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/r_qradar_product_glossary.html).
Severity Specifies the severity of this event. For more information about severity, see the Glossary (http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/r_qradar_product_glossary.html).
Credibility Specifies the credibility of this event. For more information about credibility, see the Glossary (http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/r_qradar_product_glossary.html).
Username Specifies the user name that is associated with this event, if available.

To access more information that is associated with a selected user name, right-click the user name for View Assets and View Events menu options.

Start Time Specifies the time of the event was received from the log source.
Storage Time Specifies the time that the event was stored in the QRadar® database.
Log Source Time Specifies the system time as reported by the log source in the event payload.
Anomaly Detection Information - This pane is only displayed if this event was generated by an anomaly detection rule. Click the Anomaly icon to view the saved search results that caused the anomaly detection rule to generate this event.

Rule Description

Specifies the anomaly detection rule that generated this event.

Anomaly Description

Specifies a description of the anomalous behavior that was detected by the anomaly detection rule.

Anomaly Alert Value

Specifies the anomaly alert value.

Source and Destination information
Source IP Specifies the source IP address of the event.
Destination IP Specifies the destination IP address of the event.
Source Asset Name Specifies the user-defined asset name of the event source. For more information about assets, see Asset management.
Destination Asset Name Specifies the user-defined asset name of the event destination. For more information about assets, see Asset management
Source Port Specifies the source port of this event.
Destination Port Specifies the destination port of this event.
Pre NAT Source IP For a firewall or another device capable of Network Address Translation (NAT), this parameter specifies the source IP address before the NAT values were applied. NAT translates an IP address in one network to a different IP address in another network.
Pre NAT Destination IP For a firewall or another device capable of NAT, this parameter specifies the destination IP address before the NAT values were applied.
Pre NAT Source Port For a firewall or another device capable of NAT, this parameter specifies the source port before the NAT values were applied.
Pre NAT Destination Port For a firewall or another device capable of NAT, this parameter specifies the destination port before the NAT values were applied.
Post NAT Source IP For a firewall or another device capable of NAT, this parameter specifies the source IP address after the NAT values were applied.
Post NAT Destination IP For a firewall or another device capable of NAT, this parameter specifies the destination IP address after the NAT values were applied.
Post NAT Source Port For a firewall or another device capable of NAT, this parameter specifies the source port after the NAT values were applied.
Post NAT Destination Port For a firewall or another device capable of NAT, this parameter specifies the destination port after the NAT values were applied.
Post NAT Source Port For a firewall or another device capable of NAT, this parameter specifies the source port after the NAT values were applied.
Post NAT Destination Port For a firewall or another device capable of NAT, this parameter specifies the destination port after the NAT values were applied.
Source IPv6 Specifies the source IPv6 address of the event.
Destination IPv6 Specifies the destination IPv6 address of the event.
Source MAC Specifies the source MAC address of the event.
Destination MAC Specifies the destination MAC address of the event.
Payload information
Payload Specifies the payload content from the event. This field offers 3 tabs to view the payload:
  • Universal Transformation Format (UTF) - Click UTF.
  • Hexadecimal - Click HEX.
  • Base64 - Click Base64.
Additional information
Protocol Specifies the protocol that is associated with this event.
QID Specifies the QID for this event. Each event has a unique QID. For more information about mapping a QID, see Modifying event mapping.
Log Source Specifies the log source that sent the event to QRadar. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.
Event Count Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time.
Custom Rules Specifies custom rules that match this event. .
Custom Rules Partially Matched Specifies custom rules that partially match this event.
Annotations Specifies the annotation for this event. Annotations are text descriptions that rules can automatically add to events as part of the rule response.
Identity information - QRadar collects identity information, if available, from log source messages. Identity information provides extra details about assets on your network. Log sources only generate identity information if the log message sent to QRadar contains an IP address and least one of the following items: User name or MAC address. Not all log sources generate identity information.
Identity Username Specifies the user name of the asset that is associated with this event.
Identity IP Specifies the IP address of the asset that is associated with this event.
Identity Net Bios Name Specifies the Network Base Input/Output System (Net Bios) name of the asset that is associated with this event.
Identity Extended field Specifies more information about the asset that is associated with this event. The content of this field is user-defined text and depends on the devices on your network that are available to provide identity information. Examples include: physical location of devices, relevant policies, network switch, and port names.
Has Identity (Flag)

Specifies True if QRadar has collected identify information for the asset that is associated with this event.

For more information about which devices send identity information, see the IBM QRadar DSM Configuration Guide.

Identity Host Name Specifies the host name of the asset that is associated with this event.
Identity MAC Specifies the MAC address of the asset that is associated with this event.
Identity Group Name Specifies the group name of the asset that is associated with this event.