Modifying event mapping

You can manually map a normalized or raw event to a high-level and low-level category (or QID).

Before you begin

This manual action is used to map unknown log source events to known QRadar events so that they can be categorized and processed appropriately.

About this task

For normalization purposes, QRadar automatically maps events from log sources to high- and low-level categories.

For more information about event categories, see the IBM QRadar Administration Guide.

If events are received from log sources that the system is unable to categorize, then the events are categorized as unknown. These events occur for several reasons, including:

User-defined Events - Some log sources, such as Snort, allows you to create user-defined events.
New Events or Older Events - Vendor log sources might update their software with maintenance releases to support new events that QRadar might not support.

Note: The Map Event icon is disabled for events when the high-level category is SIM Audit or the log source type is Simple Object Access Protocol (SOAP).

Procedure

Click the Log Activity tab.
Optional. If you are viewing events in streaming mode, click the Pause icon to pause streaming.
Double-click the event that you want to map.
Click Map Event.
If you know the QID that you want to map to this event, type the QID in the Enter QID field.
If you do not know the QID you want to map to this event, you can search for a particular QID:
1. Choose one of the following options: To search for a QID by category, select the high-level category from the High-Level Category list box. To search for a QID by category, select the low-level category from the Low-Level Category list box. To search for a QID by log source type, select a log source type from the Log Source Type list box. To search for a QID by name, type a name in the QID/Name field.
2. Click Search.
3. Select the QID you want to associate this event with.
Click OK.