Question & Answer
Question
What is the difference between EventID, EventIDCode and EventID (custom) in MS Windows Security Event Log events?
Which property should I be using?
Cause
When you compare a payload, and the actual parsing, you can spot the different values used for these three properties. Sometimes the EventID is represented with a long number, while other events have a 4-digit number.
Example payload:
<13>Jun 15 12:17:54 TestServer AgentDevice=WindowsLog AgentLogFile=System PluginVersion=7.3.1.22 Source=Service Control Manager Computer=TestServer OriginatingComputer=10.10.10.10 User= Domain= EventID=1073748860 EventIDCode=7036 EventType=4 EventCategory=0 RecordNumber=52884 TimeGenerated=1686824240 TimeWritten=1686824240 Level=Informational Keywords=EventlogClassic Task=None Opcode=Info Message=The Network Setup Service service entered the running state.
Image: Log Activity with added fields for viewing Windows® events.
Answer
The variables in brackets <> are visible in the payloads.
- Event ID (in QRadar) is a combination of <Source>_<EventIDCode> or just <EventIDCode>. Note: it can be other fields than <Source>, depending on the type of the event.
- EventIDCode is set by the Windows OS.
- Event ID (custom) (in QRadar) equals <EventID> from the payload.
So, in other words, you can use any of the three properties, which ever value suits best for your Rules.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS013399205","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
20 December 2023
UID
ibm17100895