IBM Support

QRadar: Creating a report that uses a Custom Event Property (CEP)

Question & Answer


Question

How do I create a report on a value that is not a normalized field from a DSM?

Answer


Quick links  

About custom event properties


Custom event properties are used to extract values from event payloads for nonnormalized fields in QRadar. By default, QRadar normalizes data from the event payload and populates the user interface with user names, source IP, destination IP, ports, and other standard event information that is parsed by the DSM. However, some event sources send unique information that is important to the administrator and they want this data to appear in the user interface, run reports, or run searches against these specific values. This is where custom event properties are leveraged, which enables the administrator to use regex to extract the data and populate the user interface with information they care about. Custom properties in QRadar can be identified as they are all labeled with the term (custom). These values must be enabled and optimized to populate the user interface and be leveraged in searches. This technical note describes how to create a custom even property to identify the "Interface" value from a firewall payload, which can then be leveraged in searches or reports.


For this technical note, we are interested in the interface field from Cisco ASA firewall deny messages. It is useful to be able to determine and run reports against firewall denies that are Internal, External, or Loopback.


Sample events
<162>Feb 09 2023 11:49:41: %ASA-2-106001: Inbound TCP connection denied from 192.168.1.24/58826 to 10.11.11.11/9100 flags SYN on interface External
<162>Feb 09 2023 11:49:40: %ASA-2-106001: Inbound TCP connection denied from 192.168.1.24/58826 to 10.11.11.11/9100 flags SYN on interface Loopback
<162>Feb 09 2023 11:49:17: %ASA-2-106001: Inbound TCP connection denied from 192.168.1.24/58821 to 10.11.11.11/9100 flags SYN on interface Internal

 

Step 1 - Creating the custom event property to locate interface values


Before you can create a custom event property, you need an example event to understand how to write your regular expression. In this case, we see that the event payload from our sample events has the word 'interface' followed by the value we want to extract in our custom event property.


Before you begin
There are a number of existing custom event properties that are added to QRadar. The administrator should review the existing custom event property to verify that there is not already a property that exists. As a number of custom event properties exist in QRadar, but they are not enabled or optimized.
 
Procedure
  1. Log in to the QRadar user interface with any web browser.
  2. Click Log Activity tab.
  3. Double-click a Cisco ASA firewall deny event to view the event details page.
  4. From the navigation bar, click Extract Property. The Custom Event Properties window is displayed.
  5. Configure the custom event properties values in QRadar.
  6. Click New Property.
  7. Select the Enable for use in Rules, Forwarding Profiles and Search Indexing checkbox.
  8. From the Field Type drop-down, select Alphanumeric.
  9. Type a description for the custom event property.
  10. Ensure that the Enabled checkbox is selected.
  11. In the Extraction field, type your regular expression. The regex in this case is. 
    interface\s(.*)\b
  12. Click Test to validate your regular expression. The expected value from the event payload should be highlighted.
  13. If the value from the event payload was properly highlighted, click Save.
    CEP75
    Results
    The custom event property is now created and the user can create a search to leverage the custom property.
     

Step 2 - Creating a search with your custom event property


The next step is to create a search that leverages your custom event property to ensure it is returning the data you expect.

Procedure
  1. Click the Log Activity tab.
  2. From the navigation bar, select Search > New Search.

    newsearch
     
  3. In the Time Range field, select a time frame. In this example, we are going to select Recent > Last Hour.
  4. In the Group by field, add the new extracted property, which is Customer Interface (custom).
  5. In the Search Parameters field, type Log Source and select the log source for your Cisco ASA device.
  6. Click Add to add the quick filter to the search. The filter ensures that only Cisco ASA events are returned by your search.
  7. Click Search.
    lasthour
    column
    search
     
  8. Verify the search results are correct and that the Interface column is displayed.
  9. From the navigation bar, click Save Criteria.
    savecritera
     
  10. Type a Search Name and assign the search to a Group(s) to make your search easily to locate.
    save screen
  11. Click OK.

    Results
    The search is now created and can be leveraged in QRadar reports.

     
 

Step 3 - Creating a report that uses your search criteria

Procedure
  1. Click Reports tab.
  2. Click Actions > Create to start a new report.
    createreport
     
  3. Using the Report Wizard, set the schedule and layout for your report.
  4. To enter a title for your report, type a title in the Report Title field.
  5. From the Chart Type drop-down, select Events/Logs.
  6. Click Define to set the report parameters.

     
  7. Define the parameters for the report container, such as the Chart Title, Graph Type, and Limit Events. Set Scheduling (if applicable). Select the saved search that was created in step 11.
    container1
    container2
     
  8. Click Save Container Details.
  9. Select an output format. The options are PDF, HTML, RTF, XML, or XLS.
    reportformats
  10. Click Next.
  11. Click Finish.


    Results
    The report template is created, if the report was not configured to run after saving, the user can highlight the report, then select Actions > Run Report to run the report immediately. Depending on schedule, there might be no data until the next day. After the report finishes, the user can view the report results by clicking the report from the Formats column.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtmAAA","label":"Reports"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
10 February 2023

UID

swg21690785

Page Feedback