Identity properties for event mappings

Identity data is a special set of system properties that includes Identity Username, Identity IP, Identity NetBIOS Name, Identity Extended Field, Identity Host Name, Identity MAC, Identity Group Name.

When identity properties are populated by a DSM, the identity data is forwarded to the asset profiler service that runs on the IBM® QRadar® console. The asset profiler is used to update the asset model, either by adding new assets or by updating the information on existing assets, including the Last User and User Last Seen asset fields when an Identity Username is provided.

IBM QRadar DSMs can populate identity data for certain events, such as those that establish an association or disassociation between identity properties. This association or disassociation is for performance and also for certain events that provide new or useful information that is needed for asset updates. For example, a login event establishes a new association between a user name and an asset (an IP address, a MAC address, or a host name, or a combination of them). The DSM generates identity data for any login events that it parses, but subsequent events of different types that involve the same user, provide no new association information. Therefore, the DSM does not generate identity for other event types.

Also, the DSMs for DHCP services can generate identity data for DHCP assigned events because these events establish an association between an IP address and a MAC address. DSMs for DNS services generate identity information for events that represents DNS lookups because these events establish an association between an IP address and a host name or DNS name.

You can configure the DSM Editor to override the behavior of the identity properties. However, unlike other system properties, overridden identity property has no effect unless it is linked to specific Event ID or Event Category combinations (event mappings). When identity property overrides are configured, you can go to the Event Mappings tab and select an event mapping to configure specific identity properties for that event. Only identity properties that are available and captured by the configured property regex or json are populated for an event.

Note: The Identity Username property is unique and cannot be independently configured. If any identity properties are enabled for a particular event mapping, then the Identity Username property is automatically populated for the event from the available Username property value.