IBM Support

QRadar: What is the difference between EventID, EventIDCode and EventID (custom) in MS Windows Security Event Log events?

Question & Answer


Question

What is the difference between EventID, EventIDCode and EventID (custom) in MS Windows Security Event Log events? 
Which property should I be using?

Cause

When you compare a payload, and the actual parsing, you can spot the different values used for these three properties. Sometimes the EventID is represented with a long number, while other events have a 4-digit number.
Example payload:
<13>Jun 15 12:17:54 TestServer AgentDevice=WindowsLog AgentLogFile=System	PluginVersion=7.3.1.22	Source=Service Control Manager	Computer=TestServer	OriginatingComputer=10.10.10.10	User=	Domain=	EventID=1073748860	EventIDCode=7036	EventType=4	EventCategory=0	RecordNumber=52884	TimeGenerated=1686824240	TimeWritten=1686824240	Level=Informational	Keywords=EventlogClassic	Task=None	Opcode=Info	Message=The Network Setup Service service entered the running state.
Image: Log Activity with added fields for viewing Windows® events.

Answer

The variables in brackets <> are visible in the payloads.
  • Event ID (in QRadar) is a combination of <Source>_<EventIDCode> or just <EventIDCode>. Note: it can be other fields than <Source>, depending on the type of the event.
  • EventIDCode is set by the Windows OS.
  • Event ID (custom) (in QRadar) equals <EventID> from the payload.
So, in other words, you can use any of the three properties, which ever value suits best for your Rules.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS013399205","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 December 2023

UID

ibm17100895