Adding the DNS Request Domain custom event property to your DSMs

To conduct a federated search for domain names, you must add the DNS Request Domain custom event property to the appropriate DSMs in IBM® QRadar. The DNS Request Domain custom event property parses the DNS Request Domain for a log source type.

About this task

You must have the administrator role to add the DNS Request Domain custom event to your DSMs.

Procedure

  1. Log in to QRadar® as an administrator.
  2. From the Admin tab, click DSM Editor.
  3. In the Select Log Source Type window, click the log source type that you want to edit, and then click Select.
  4. On the Properties tab, click the Add icon (+).
  5. In the Choose a Custom Property Definition window, select DNS Request Domain, and then click Select.
  6. If the DNS Request Domain custom event property is not listed, follow these steps to create it.
    1. In the Choose a Custom Property Definition window, click Create New.
    2. In the Name field, enter DNS Request Domain.
    3. In the Field Type field, select Text.
    4. In the Description field, enter a description and then select the Enable for use in Rules, Forwarding Profiles and Search Indexing checkbox.
    5. Click Save and then click Select.
  7. On the Properties tab, click the DNS Request Domain custom event property. If the DNS Request Domain custom event property was listed in the Choose a Custom Property Definition window, click Edit.
  8. Ensure that the Expression Type is Regex.
  9. In the Expression field, enter Question Name=(\S+).
    Restriction: The Question Name=(\S+) regular expression (regex) applies only to the DNS Request Domain custom event property.
  10. In the Capture Group field, enter 1.
  11. To confirm the edit, click OK, and then click Save to update the DSM.

Results

If the DNS Request Domain custom event property is added to your DSM, a green checkmark is displayed, and the custom event property is listed on the Properties tab.

What to do next

Connecting to an IBM Security QRadar data source

Connecting to an IBM Security QRadar on Cloud data source