Troubleshooting
Problem
Customers might notice that there are some events under an Anomaly Detection Engine log source that are not human readable. This issue occurs when the event generated from anomaly events is binary data, the user interface attempts to display the data, but instead shows question mark (��@���) characters.
Symptom
You can reproduce the issue with the following steps:
- Create an Anomaly Detection Rule.
- After the rule is triggered it creates at least two events, one of them with the event name given.
- Select Display > Raw Events.
- The payload of the event displays ��� characters.
- Double-click the event, the utf tab attempts to render the data, which is not human readable.
Cause
Basically the Anomaly Detection Engine creating these events is the way the anomaly rules work since their inception in 7.0. Anomaly Detection Events generate binary payloads. QRadar uses the ADEEventProperties.java class to pull useful values out of the binary payload because they are unreadable.
Resolving The Problem
This behavior is expected as binary data cannot be rendered as UTF in the user interface and is considered working as designed from a product perspective. If a use case requires you to be able to read the binary payloads created by the Anomaly Detection Engine, you can submit an enhancement request to the IBM Ideas portal as a feature request. For more information, see QRadar: Request for enhancements and IBM Idea submissions.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS007983538","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
08 March 2022
UID
ibm16557112