IBM Support

QRadar: Anomaly Detection Engine creates unreadable events, for example "��@��� �H�"



Customers might notice that there are some events under an Anomaly Detection Engine log source that are not human readable. This issue occurs when the event generated from anomaly events is binary data, the user interface attempts to display the data, but instead shows question mark (��@���) characters.


You can reproduce the issue with the following steps:
  1. Create an Anomaly Detection Rule.
  2. After the rule is triggered it creates at least two events, one of them with the event name given. 
  3. Select Display > Raw Events.
  4. The payload of the event displays ��� characters.
  5. Double-click the event, the utf tab attempts to render the data, which is not human readable.


Basically the Anomaly Detection Engine creating these events is the way the anomaly rules work since their inception in 7.0. Anomaly Detection Events generate binary payloads. QRadar uses the class to pull useful values out of the binary payload because they are unreadable.

Resolving The Problem

This behavior is expected as binary data cannot be rendered as UTF in the user interface and is considered working as designed from a product perspective. If a use case requires you to be able to read the binary payloads created by the Anomaly Detection Engine, you can submit an enhancement request to the IBM Ideas portal as a feature request. For more information, see QRadar: Request for enhancements and IBM Idea submissions.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS007983538","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
08 March 2022