In the DSM Editor, you can define a custom property for one or more log source types
whose events do not fit into the IBM
QRadar normalized event model.
For example, the set of system properties might not capture all relevant data from some
applications, operating systems, databases, and other systems.
About this task
You can create a custom property for data that does not fit into QRadar system properties. Use the
custom properties in searches and test against them in rules.
Procedure
-
On the Properties tab in the DSM Editor, click
Add (+).
-
To create a new custom property definition, use the following steps:
- On the Choose a Custom Property Definition to Express page,
select Create New.
- On the Create a new Custom Property Definition page, configure
the parameters in the following table.
Table 1. Custom property
parameters
| Parameter |
Description |
| Name |
A descriptive name for the custom property that you create. |
| Field Type |
The default is Text.
Tip: When you select Number or Date from
the Field Type list, extra fields are displayed.
|
| Enable this Property for use in Rules and Search Indexing |
When this option is enabled, during the parsing stage of the event pipeline, QRadar attempts to extract the
property from events immediately as they enter the system. Other components downstream in the
pipeline such as rules, forwarding profiles and indexing can use the extracted values. Property
information is persisted along with the rest of the event record and doesn't need to be extracted
again when it is retrieved as part of a search or report. This option enhances performance when the
property is retrieved, but can have a negative impact on performance during the event parsing
process, and impacts storage. When this option is not enabled, QRadar extracts the property from
the events only when they are retrieved or viewed.
Important: To use Custom Properties in rule tests, forwarding profiles, or for search
indexing, make sure that this checkbox is selected. Rule evaluation, event forwarding, and indexing
occur before events are written to disk, so the values must be extracted at the parsing
stage.
|
| Use number format from a Locale |
This field displays when you select Number from the Field
Type list. If you select the Use number format from a Locale
checkbox, you must select an Extracted Number Format from the list. |
| Extracted Date/Time Format |
This field displays when you select Date from the Field
Type list. You must provide a datetime pattern that matches how the datetime appears in
the original event. For example, 'MMM dd YYYY HH:mm:ss' is a valid datetime pattern for a time
stamp like 'Apr 17 2017 11:29:00'.
|
| Locale |
This field displays when you select Date from the Field
Type list. You must select the locale of the event. For example, if the locale is
English, it recognizes 'Apr' as a short form of the month 'April'. But if the
event is presented in French and the month token is 'Avr' (for Avril), then set the locale to a
French one, or the code does not recognize it as a valid date.
|
-
If you want to extract the property from events as they enter the system, select the
Enable this property for use in Rules and Search indexing check
box.
-
Click Save.
-
To use an existing custom property, use the following steps:
-
On the Choose a Custom Property Definition to Express page, search for
an existing custom property from the Filter Definitions field.
-
Click Select to add the custom property.