Creating a custom property

Create a custom property to extract data that IBM QRadar does not typically show from the event or flow payloads. Custom properties must be enabled, and extraction-based custom properties must be parsed, before you can use them in rules, searches, reports, or for offense indexing.

Before you begin

QRadar includes a number of existing custom event properties that are not enabled or parsed by default. Ask your administrator to review the custom event property that you want to create to ensure that it does not exist.

To create custom event properties, you must have the User Defined Event Properties permission.

To create custom flow properties, you must have the User Defined Flow Properties permission. You must also set the IPFIX Additional Field Encoding field to Payload or TLV and Payload.

Users with administrative capabilities can create custom event and flow properties by selecting Custom Event Properties or Custom Flow Properties on the Admin tab.

You must configure a flow collector to export data to a flow processor. For more information, see Configuring the Flow Collector format.

About this task

Although multiple default custom properties might have the same name and the same log source, they can have different regex expressions, event names, or categories. For example, there are multiple custom properties for Microsoft Windows Security Event Log called AccountName, but each one is defined by a unique regex expression.

Procedure

  1. Click the Log Activity tab or the Network Activity tab.
  2. If you are viewing the events or flows in streaming mode, click the Pause icon to pause streaming.
  3. Double-click the event or flow that contains the data that you want to extract, and then click Extract Property.
  4. In the Property Type Selection pane, select the type of custom property that you want to create.
  5. Configure the custom property parameters.

    Click the help icon (Help button) to see information about the custom property parameters.

  6. If you are creating an extraction-based custom property that is to be used in rules, search indexes, or forwarding profiles, ensure that the Enable for use in Rules, Forwarding Profiles and Search Indexing check box is selected.
  7. Optional: Click Test to test the expression against the payload.
  8. Optional: New in 7.5.0 Update Package 12 You can use predictive parsing algorithm for regular expressions (regex) custom properties. You can enable predictive parsing by selecting Enabling Predictive Parsing checkbox. By default, predictive parsing is enabled now for all custom properties. If you enable predictive parsing, the performance is faster when you create a new property. You can also set the delimiter set for a property by using Predictive Parsing Delimiters option. Predictive Parsing uses an algorithm to extract property values from events without running the regex for every event and thus is fast. However, in rare circumstances the algorithm can make incorrect predictions, so it is recommended to use Predictive Parsing only for log source types, which are expected to receive high event rates and thus require the faster parsing.
  9. Click Save.

What to do next

Modifying or deleting a custom property