Creating a QID map entry

Create a IBM QRadar Identifier (QID) Map Entry to map an event of an external device to QID.

Procedure

  1. Using SSH, log in to QRadar as the root user.
  2. To locate the low-level category for the QID map entry that you want to create, type the following command:

    /opt/qradar/bin/qidmap_cli.sh -l

    If you want to search for a particular low-level category, you can use the grep command to filter the results:

    /opt/qradar/bin/qidmap_cli.sh -l | grep <text>

  3. Type the following command: 
    qidmap_cli.sh -c --qname <name> --qdescription <description> 
--severity <severity> --lowlevelcategoryid <ID>

    The following table describes the command-line options for the QID map utility:

    Options Description
    -c Creates a QID map entry.
    --qname <name> The name that you want to associate with this QID map entry. The name can be up to 255 characters in length.

    If you include spaces in the name, enclose the name value in double quotation marks.
    --qdescription <description> The description for this QID map entry. The description can be up to 2048 characters in length.

    If you include spaces in the description, enclose the description value in double quotation marks.
    --severity <severity> The severity level that you want to assign to this QID map entry. The valid range is 1 - 10.
    --lowlevelcategoryid <ID> The low-level category ID you want to assign to this QID map entry.