Parsing
- Shirly Tsang
Analytics
QRadar parses received data using suitable Log source. The log source is made up of two components:
Protocol: It defines how data gets into QRadar.
DSM: It helps in defining how data is parsed. Log Source Extension and Custom Event Properties can be attached to a Log Source to extend its capability.
Infoblox DSM
The custom DSM is used for correctly assigning event name and event categories to Infoblox events. The event name and event categories are identified using QIDs. Following table lists Infoblox events to QID mapping. All the events with event id other than one mentioned in the table below will have “Unknown” or “Infoblox Message” for event name.
Event ID | QID Name | High Level Category | Low Level Category |
BloxOne Audit Log | BloxOne Audit Log | Audit | General Audit Event |
DHCP-LEASE-UPDATE | DHCP-LEASE-UPDATE | System | Messages |
DHCP-LEASE-DELETE | DHCP-LEASE-DELETE | System | Messages |
DHCP-LEASE-ABANDON | DHCP-LEASE-ABANDON | System | Messages |
DNS Response | DNS Response | System | Messages |
SOC Insights | SOC Insights | System | Messages |
Service Log | Service Log | System | Messages |
BloxOne Atlas Notifications | BloxOne Atlas Notifications | System | Messages |
RPZ-QNAME-PASSTHRU | RPZ-QNAME-PASSTHRU | System | Messages |
RPZ-QNAME-NXDOMAIN | RPZ-QNAME-NXDOMAIN | System | Messages |
SOC Insights Asset | SOC Insights Asset | System | Messages |
SOC Insights Indicator | SOC Insights Indicator | System | Messages |
SOC Insights Comment | SOC Insights Comment | System | Messages |
SOC Insights Event | SOC Insights Event | System | Messages |