DSM Editor enhancements

The DSM Editor enhancements in QRadar® 7.4.2 include generating regex to parse event properties.

Generating regex for parsing event properties

QRadar 7.4.2 can suggest regular expressions (regex) when you enter event data in the Workspace. If you are not familiar with creating regex expressions, use this feature to generate your regex.

Highlight the payload text that you want to capture and in the Properties tab, click Suggest Regex. The suggested expression appears in the Expression field. Alternatively, you can click the Regex button in the Workspace and select the property that you want to write an expression for. If QRadar is unable to generate a suitable regex for your data sample, a system message appears.

Tip: The regex generator works best for fields in well-structured event payloads. If your payload consists of complex data from natural language or unstructured events, the regex generator might not be able to parse it and does not return a result.

The following figure shows how you can generate your regex with the Suggest Regex button in the Properties tab, or with the Regex button in the Workspace.

Figure 1. Suggest Regex button
Suggest Regex button

New information Learn more about the DSM Editor workspace...