Troubleshooting
Problem
Radware DefensePro events in the Log Activity tab can display 'Unknown Radware DefensePro'. Administrators who experience issues with event categorization must review the EventID to determine whether the payload is a standard events or a user-defined custom event. The QID map provided by IBM includes parsing and event mapping for events with a number ID from 0 to 200,000. Any events with a numeric ID of 300,000 or greater are user-defined custom events and must be manually mapped by the administrator.
Cause
The DSM for Radware DefensePro (DSM-RadwareDefensePro) does not support custom events. Some events in Radware DefensePro are user-defined custom events, and custom event are not supported. For more information, see the QRadar support policy for custom events.
| Event ID | Event types | Included in the QRadar QID map? |
|---|---|---|
| 0 to 299,999 | Default QIDs mapped by IBM | Yes, Radware DefensePro events with an Event ID of 0 to 299,999 are included in the QID map provided by IBM. |
| 300,000 to 1,000,000 | Custom Radware DefensePro events | No, events that include a numeric Event ID greater than 300,000 are custom intrusion or attack events and must be mapped in the DSM Editor. For more information, see Radware DefensePro Attack-Protection IDs. |
Diagnosing The Problem
Event IDs from Radware DefensePro devices that appear with an Event ID of 300,000 or greater are not included in the QID map as they are custom event ranges.
How to search for unknown Event IDs
- Log in to QRadar as an administrator.
- Click the Log Activity tab.
- Click Search > New Search.
- In the Column Definition menu, add Event ID.
Tip: To review for the highest number of unknown events by Event ID, you can order by the Event Count. - Add the following search filters.
- Log Source Type [Indexed] equals Radware DefensePro.
- Category [Indexed] equals Log Level Category Unknown.
For example, both filters are added before you search for unknown events to map.
- Click Search to run the search with the filters applied and confirm the Event ID values.
Figure 1: Event IDs of 300,000 or greater are custom events and must be mapped in the DSM Editor.
Results
The Event ID displayed in the QRadar search is parsed from the ID Number of the Radware DefensePro event. Any events that display in the Low Level Category column with a value of Unknown can be mapped in the DSM Editor. If you experience issues with events that have an Event ID less than 300,000 that do not map in the user interface, click Actions > Export to XML > Full Export (All Columns) and contact QRadar Support.
Resolving The Problem
Unknown events are payloads without an associated QRadar identifier (QID) and the DSM Editor displays these events as 'Parsed, but not mapped'. Events with ID Number in the range from 300,000 to 1,000,000 are user-defined events for Radware DefensePro devices. As the payloads are for custom events, QRadar extracts the Event ID, but there is no mapping for them. Administrators with unknown events can use the DSM Editor to map events.
Procedure
To map events, administrators can review for, 'parsed, but not mapped events' and create a new event mapping to add new category coverage for their device. Administrators can either use existing QIDs to map to their unknown event or create new custom QID records in QRadar.
Procedure
To map events, administrators can review for, 'parsed, but not mapped events' and create a new event mapping to add new category coverage for their device. Administrators can either use existing QIDs to map to their unknown event or create new custom QID records in QRadar.
- Click the Log Activity tab.
- Run a search for Radware DefensePro unknown events.
- Highlight any events in the Log Activity tab with an Event ID of 300,000 or greater.
- Click Actions > DSM Editor.
For example, the unknown event and payload is loaded in to the DSM Editor:
- Click the Event Mappings tab.
- Click + to create a new event map.
- Choose an existing QID or create a new custom QID record depending on your needs by following one of the two steps:
- Type an Event ID and Category, then click Choose a QID to search for a similar QID to map to your event.
Note: For more information, see Event Mappings.
- Click Choose a QID, then click Create new QID record to create a custom QID for your event.
Note: For more information, see Radware DefenesePro: How to view signature descriptions.
Important: If you create a new QID, it is not automatically assigned. You need to create your new QID, then return to the Event Mapping tab in the DSM Editor and select your newly created QID.
- Type an Event ID and Category, then click Choose a QID to search for a similar QID to map to your event.
- Repeat this procedure for each unknown event.
Results
As you add event mappings, new incoming events from Radware DefensePro are mapped to your custom signatures. Administrators can prioritize the list of important signatures by filtering for the most frequent unknown events.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS012002205","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
10 March 2023
UID
ibm16960301