IBM Support

X-Force host properties are different from Standard event properties



QRadar SIEM users might notice that they may not be able to add their own custom property to the host property in an X-Force rule test.


Usually, if you have missing Custom Properties in the list of Event Properties, the first step would be to confirm if there is a tick checked in the Custom Properties configuration window with the option "Parse in advance for rules, reports, and searches". The property you were looking for will now appear in the list.
Event Property
For some tests coming from the X-Force family, during configuration of the rule, you can't pick your own custom properties even if the property has "Parse in advance..." option checked in.
Despite these windows looking similar to each other and containing some of the exact same names for the property. Every one of them is referencing a different database
Host Property
The X-Force database contains proprietary values provided to the QRadar team from another IBM branch. The database is separate from the product's database and it can't store its own custom properties or access existing ones.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
12 May 2020