You can use different expressions to capture various custom properties for the same
event. You can also use a combination of expression types to capture the same custom property if
that property can be captured from multiple event formats.
About this task
IBM
QRadar supports the
following custom property expression types:
- Regex
- JSON
- LEEF
- CEF
- Name Value Pair
- Generic List
- XML
-
On the Properties tab, locate and select the custom property. Custom
properties display the word Custom next to them to differentiate them from
system properties.
- Select an expression type from the Expression Type list and define
a valid expression for it.
Tips:
- For Regex, the expression must be a valid java-compatible regular expression. Case-insensitive
matching is supported only by using the
(?i) token at the beginning of the
expression. The (?i) token is saved in the log source extension .xml file. To use
other expressions, such as (?s), manually edit the log source extension .xml
file.
- For JSON, the expression must be a path in the format of
/"<name of
top-level field>" with additional /"<name of
sub-field>" subobjects to capture subfields if any.
- To capture the value of a key-value pair for LEEF and CEF, set the expression to the key.
- To capture the value of a header field, set the expression to the corresponding reserved word
for that header field.
- If the expression type is Regex, select a capture group.
- To limit an expression to run against a specific category, click Edit
to add selectivity to the custom property, and select a High Level
Category and a Low Level Category.
- To limit an expression to run against a specific event or QID, click Choose
Event to search for a specific QID.
-
In the Expression window, click Ok.
-
To add multiple expressions and reorder them, follow these steps:
-
Click Add (+) in the expressions list.
-
Drag expressions in the order that you want them to run.