Modifying an event map

Modifying an event map allows you to manually categorize events to a IBM QRadar Identifier (QID) map.

1. On the Event Name column, double-click an unknown event for your Universal LEEF DSM.

   The detailed event information is displayed.

2. Click Map Event.
3. From the Browse for QID pane, select any of the following search options to narrow the event categories for a QRadar Identifier (QID):
   1. From the High-Level Category list, select a high-level event categorization.

      For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the IBM QRadar Administration Guide.

4. From the Low-Level Category list, select a low-level event categorization.
5. From the Log Source Type list, select a log source type.

   The Log Source Type list allows you to search for QIDs from other individual log sources. Searching for QIDs by log source is useful when the events from your Universal LEEF DSM are similar to another existing network device. For example, if your Universal LEEF DSM provides firewall events, you might select Cisco ASA, as another firewall product that likely captures similar events.

6. To search for a QID by name, type a name in the QID/Name field.

   The QID/Name field allows you to filter the full list of QIDs for a specific word, for example, MySQL.

7. Click Search.

   A list of QIDs is displayed.

8. Select the QID you want to associate to your unknown Universal LEEF DSM event.
9. Click OK.

   QRadar maps any additional events forwarded from your device with the same QID that matches the event payload. The event count increases each time the event is identified by QRadar.

   Note: If you update an event with a new QRadar Identifier (QID) map, past events stored in QRadar are not updated. Only new events are categorized with the new QID.