QRadar Custom Properties

This guide walks through adding a custom property to the Forcepoint Insights Log Source Type so that QRadar can extract a new field from the JSON event payload and surface it in searches, rules, and reports.

The example below adds a Blocked URL property that extracts the value of blockedUrl from the incoming JSON event.

Steps

  1. Open the DSM Editor
    1. Click the Admin tab in the QRadar console.
    2. In the left sidebar, expand Data Sources.
    3. Under Events, click DSM Editor.
  2. Select the Forcepoint Insights Log Source Type
    1. In the Select Log Source Type dialog:
      • Type Force in the search box.
      • Select Forcepoint Insights.
      • Click Select.

        The Properties tab opens for the Forcepoint Insights Log Source Type.



  3. Add a property
    1. On the Properties tab, click the + button next to the Filter field. The Choose a Custom Property Definition dialog appears.
      • To reuse an existing property, select it and click Select, then proceed to Step 5.
      • To create a new property, click Create New and continue to Step 4.


  4. Create the Custom Property Definition
    Fill in the following fields:
    • Name: for example, Blocked URL
    • Field Type: Text, Number, Date, or IP
    • Description: optional

      Click Save.



  5. Configure the extraction expression

    Select the new property in the list to expand it.

    Click the + next to Expressions.

    Set the following fields:

    • Expression Type: JSON
    • Expression: the JSON pointer to the field, for example: /blockedUrl
    • Enabled: leave set to Enabled

    Click OK.

    Note: For JSON field name in Expression refer the Script Exported Name here


  6. Click Save at the bottom right of the DSM Editor and close the window.