Troubleshooting
Problem
QRadar SIEM users might notice that they may not be able to add their own custom property to the host property in an X-Force rule test.
Symptom
Usually, if you have missing Custom Properties in the list of Event Properties, the first step would be to confirm if there is a tick checked in the Custom Properties configuration window with the option "Parse in advance for rules, reports, and searches". The property you were looking for will now appear in the list.
For some tests coming from the X-Force family, during configuration of the rule, you can't pick your own custom properties even if the property has "Parse in advance..." option checked in.
Despite these windows looking similar to each other and containing some of the exact same names for the property. Every one of them is referencing a different database
The X-Force database contains proprietary values provided to the QRadar team from another IBM branch. The database is separate from the product's database and it can't store its own custom properties or access existing ones.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
12 May 2020
UID
ibm16114352