QRadar: How to add custom properties for geographic date formats in Microsoft DNS Debug events

The QRadar DNS Debug device support module (DSM) supports two different date formats by default:

• mm/dd/yyyy (US format)
• yyyy-mm-dd (similar to ISO 8601)

When you have multiple different date formats, administrators can create separate overrides in the DSM Editor for each locale that requires a unique date format. Overrides allow users to create different parsing structures for data in the event payload to ensure the output to the screen is in the proper format for users. If one or more overrides are in place, the DSM attempts to match the override to the event payload, allowing minor differences is parsing to be corrected, such as the regional changes to date formatting.

How to create a DSM Editor override for time formats

1. Log in to the QRadar Console as an administrator.
2. Click the Log Activity tab.
3. Select a Microsoft­™ DNS Debug event.
   NOTE: To highlight multiple events, users can pause the streaming event view and Press Shift + click.
4. Select Actions > DSM Editor.
   Optionally, administrators can right-click on an event and select View in DSM Editor.
5. In the DSM Editor, click the Properties tab.
6. Select the Log Source Time field.
7. Under Property Configuration, select the Override system behavior check box.
8. Select Regex from the drop-down menu.
9. In the Expression field, type a regular expression for the geographical area.
   For example, (\d{1,2})\.(\d{1,2})\.(\d{4})
   Note: The example regular expression is a Finnish date format, which displays as 25.04.2019.
10. Add a Format String to define how the regex capture groups are displayed.
    In this example, day.month.year for a Finnish date format would be $1.$2.$3
11. In the Extracted Date/Time Format field, type a date format for your local region.
    For example, dd.MM.yyyy
12. Click Save.
    
    
    Results
    The DSM Editor enables a Log Source time override for Finnish date locale to replace the default Log Source Time.

1. To create a new custom property, click the + button.
   
2. From the menu, Choose a Custom Property Definition scroll down to the end of the page.
3. Click Create New.
4. Add a Name.
   Note: The name must be unique.
5. Select Field Type Date.
6. Add a Regex for Extracted Date/Time Format for the locale you want to parse.
7. Select your Locale from the drop-down menu.
8. Optional. Click Enable this property for use in Rules and Search Indexing.
   Important: When enabled, during the parsing stage of the event pipeline, QRadar attempts to extract the custom property from events immediately as they enter the system and writes the value to disk. This option enhances performance when the property is retrieved, but can have a negative impact on performance during the event parsing process, and impacts storage.
9. Click Save.
   
10. Repeat this procedure for each new custom property date format.