IBM Support

QRadar: Unable to add newly created Custom Event Property Definition to a Rule

Troubleshooting


Problem

Users are unable to add a newly created Custom Event Property Definition, during the building of a new or modifying of an existing Rule.
  1. In the rule Definition section, when a test that includes the variable 'event properties' is added.
    ruledefinition
  2. Click event properties.
    You see that the newly created Custom Event Property is not available.
    nocep

Cause

Creating a Custom Event Property the option

Resolving The Problem

To resolve this issue, create a new Custom Event Property by completing the following steps.
 
  1. Log in to the QRadar Console UI as an Administrator.
  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. In the Data Sources > Events section, click DSM Editor.
    dsmeditor
  4. Select the Log Source Type where you want to create the new Custom Event Property, click Select.
    In this example, Apache HTTP Server is selected.
    apache
  5. Click the Plus button to open the Choose a Custom Property Definition page.
    createnewproperty
  6. Click Create New.
    createnew
  7. Populate the required fields.
    Name.
    Field Type.
    Description.
    Select "
    newcustompropertydef
  8. You are brought back to the Choose a Custom Property Definition page.
    The newly created Custom Property is highlighted and is checked.
    Click Select.
    selectedCPD
  9. Click the newly added Custom Event Property to populate the required fields, click OK.
    propertyconfig
  10. Click Save, click Close.
    saveandclose
Results
  1. Building a new or modifying an existing Rule.
    ruledefinition
  2. Click event properties.
    You see that the newly created Custom Event Property is available.
    Highlight the Custom Event Property, click Add, click Submit.
    CEPsuccess

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtSAAQ","label":"DSM Editor"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
29 August 2023

UID

ibm17020234