Mapping events to QIDs

When the events from the sample_initiallog.txt file are received by QRadar, the Log Activity page displays them as of "unknown" type.

04

Log with "unknown" events

If the Log Activity page displays too many events that arrive from different devices, you can add an event filter. In this event filter, set KL_Threat_Feed_Service_v2 and KL_Verification_Tool as the log sources (the operator used in the filter must be Equals any of).

To correctly identify the events, set the mapping between QIDs and events:

  1. In QRadar Console, select the Log Activity tab, stop the events flow by clicking Pause (QRadar_pause) in the upper-right area of the window, and then double-click any event of "unknown" type that has "KL_Threat_Feed_Service_v2" in the Log Source column.

    QRadar_stop_event_flow

    Stop the events flow

    The event information will be displayed. The event name will be contained in Payload information.

  2. Click the Map Event button.

    05

    Browsing event information

  3. In the Log Source Event window in the QID/Name text box, type the event name. It must be one of the QIDs imported to QRadar.
  4. Click Search.

    One result will be displayed in the Matching QIDs table.

    06

    Adding the correspondence between a QID and an event name

  5. Select the table row and click OK.
  6. Perform steps 3, 4, and 5 for all event types (imported QIDs).
  7. To ensure that events and QIDs are mapped correctly, repeat the procedure for sending a set of events to QRadar. The Log Activity page must not contain any event of "unknown" type.

    06

    Log without "unknown" events

Page top