Properties in the DSM Editor

In the DSM Editor, normalized system properties are combined with custom properties and are sorted alphabetically.

A DSM cannot have multiple properties with the same name.

The configuration of a system property differs from a custom property.

System properties

System properties cannot be deleted but you can override the default behavior. There are two types of system properties:

Predefined system property: Displays the default QRadar behavior that is used for the DSM.
Override system property: System properties with override configured (log source extension) show Override in the status line. When a system property has an override, a log source extension for that DSM uses the regular expressions that you entered for the configuration.

Note: The DSM Editor facilitates the creation of unique regular expressions for event properties, such as IP and Port, which enables the independent extraction of property values from events.

Custom properties

Custom properties show Custom in the status line.

Custom properties differ from system properties in these ways:

Custom properties display Custom below their name.
Custom properties have no Override system behavior check box.
To make a custom property available for rules and search indexing, select the Enable this Property for use in Rules and Search Indexing check box when you create a custom property.
Note: When you select this option, QRadar attempts to extract the property from events as soon as they enter the pipeline. Extracted property information and the remainder of the event record are persisted. The property does not need to be extracted again when it is used in a search, or report. The process enhances performance when the property is retrieved, but the process can have a negative impact on performance during event collection and storage.
Custom properties must have one or more expressions to be valid.