Creating a custom property
Create a custom property to extract data that IBM® QRadar® does not typically show from the event or flow payloads. Custom properties must be enabled, and extraction-based custom properties must be parsed, before you can use them in rules, searches, reports, or for offense indexing.
Before you begin
QRadar includes a number of existing custom event properties that are not enabled or parsed by default. Ask your administrator to review the custom event property that you want to create to ensure that it does not exist.
To create custom event properties, you must have the User Defined Event Properties permission.
To create custom flow properties, you must have the User Defined Flow Properties permission. You must also set the IPFIX Additional Field Encoding field to Payload or TLV and Payload.
Users with administrative capabilities can create custom event and flow properties by selecting Custom Event Properties or Custom Flow Properties on the Admin tab.
You must configure a flow collector to export data to a flow processor. For more information, see Configuring the Flow Collector format.
About this task
Although multiple default custom properties might have the same name and the same log source, they can have different regex expressions, event names, or categories. For example, there are multiple custom properties for Microsoft Windows Security Event Log called AccountName, but each one is defined by a unique regex expression.