Custom Event Properties

Perform the following steps to customize event properties:

Go to Admin > Log Sources.
Ensure the status of QualysFimMultiline and QualysFIMIncidents Log Sources are Enabled.
Go to Admin > Custom Event Properties.
Reconfirm that all 51 Qualys-related properties are Enabled and are linked to the Qualys FIM JSON and Qualys FIM INCIDENTS log source type.

The following table includes Qualys-related properties :

Field name	Expression	Log Source Type
Absolute File Path	/"fullPath"	Qualys FIM JSON
Absolute Process Path	/"actor"/"imagePath"	Qualys FIM JSON
Action	/"action"	Qualys FIM JSON
Agent Version	/"asset"/ "agentVersion"	Qualys FIM JSON
Asset Interfaces	/"assetInterfaces"	Qualys FIM JSON
Asset Name	/"asset"/"name"	Qualys FIM JSON
Asset Tags	/"asset"/"tags"[]	Qualys FIM JSON
Attribute New	/"attributes"/"new"[]	Qualys FIM JSON
Attribute Old	/"attributes"/"old"[]	Qualys FIM JSON
Category name	/"profiles"[0]/"category"/"name"	Qualys FIM JSON
Event Alert	/"name"	Qualys FIM JSON
Event Incident Id	/"incidentId"	Qualys FIM JSON
Event Incident Name	/"incidentName"	Qualys FIM JSON
Event UUID	/"id"	Qualys FIM JSON
Event Type	/"type"	Qualys FIM JSON
File Certificate Hash	/"fileCertificateHash"	Qualys FIM JSON
File Hash	/"fileContentHash"	Qualys FIM JSON
File Reputation Status	/"reputationStatus"	Qualys FIM JSON
File Trust Status	/"trustStatus"	Qualys FIM JSON
Incident Approval Status	/"approvalStatus"	Qualys FIM INCIDENTS
Incident Approval Type	/"approvalType"	Qualys FIM INCIDENTS
Incident Assignee	/"reviewers"[]	Qualys FIM INCIDENTS
Incident Change Type	/"changeType"	Qualys FIM INCIDENTS
Incident Correlation Rule ID	/"ruleId"	Qualys FIM INCIDENTS
Incident Correlation Rule Name	/"ruleName"	Qualys FIM INCIDENTS
Incident Disposition Category	/"dispositionCategory"	Qualys FIM INCIDENTS
Incident ID	/"id"	Qualys FIM INCIDENTS
Incident Name	/"name"	Qualys FIM INCIDENTS
Incident Status	/"status"	Qualys FIM INCIDENTS
Incident Type	/"type"	Qualys FIM INCIDENTS
Monitoring Profile	/"profiles"[0]/"name"	Qualys FIM JSON
New Content	/"newContent"	Qualys FIM JSON
New Registry Value Content	/"newRegistryValueContent"	Qualys FIM JSON
New Registry Value Type	/"newRegistryValueType"	Qualys FIM JSON
Old Content	/"oldContent"	Qualys FIM JSON
Old Registry Value Content	/"oldRegistryValueContent"	Qualys FIM JSON
Old Registry Value Type	/"oldRegistryValueType"	Qualys FIM JSON
Platform	/"platform"	Qualys FIM JSON
Process ID	/"actor"/"processID"	Qualys FIM JSON
Process Name	/"actor"/"process"	Qualys FIM JSON
Registry Name	/"registryName"	Qualys FIM JSON
Registry Path	/"registryPath"	Qualys FIM JSON
Rules ID	/"profiles"[0]/"rules"[0]/"id"	Qualys FIM JSON
Rules name	/"profiles"[0]/"rules"[0]/"name"	Qualys FIM JSON
Section ID	/"profiles"[0]/"rules"[0]/"section"/"id"	Qualys FIM JSON
Section Name	/"profiles"[0]/"rules"[0]/"section"/"name"	Qualys FIM JSON
Source Host Name	/"asset"/"interfaces"[0]/"hostname"	Qualys FIM JSON
User ID	/"actor"/"userID"	Qualys FIM JSON
Qradar Data Type	/"qradarDataType"	Qualys FIM INCIDENTS
Qradar Event Type	/"qradarEventType"	Qualys FIM JSON
Severity Level	/"severity"	Qualys FIM JSON

For the Qualys-related properties, check the following points:

If any property is disabled, enable it.
If any property does not belong to the Qualys FIM JSON/Qualys FIM Incidents log source type, open it to edit and select Qualys FIM JSON or Qualys FIM Incidents as the log source type.
Do not select any specific Log source. Select All in the drop-down option.
Select the Category, with High-Level Category as System and Low-Level Category as Information.
Provide JSON or Incident expression from the above table in the Extraction using section.
Finally, save the properties.

For any change in Custom Event Properties, it is recommended to do Deploy Full Configuration.

Custom Event Properties

Related Topic