Kaspersky CyberTrace

Mapping events to QIDs

27 February 2024

ID 171613

When the events from the sample_initiallog.txt file are received by QRadar, the Log Activity page may display them as having the "unknown", "Unknown Kaspersky Threat Feed Service Event", or another descriptive name, instead of a standard value (for example, "KL_Threat_Feed_Service" or "CyberCrime_Tracker_Block_Url"). This may result in duplicating unrelated events.

Log Activity page with "unknown" events.

Log with "unknown" events

If the Log Activity page displays too many events that arrive from different devices, you can add an event filter. In this event filter, set KL_Threat_Feed_Service_v2 and KL_Verification_Tool as the log sources (the operator used in the filter must be Equals any of).

To correctly identify the events, set the mapping between QIDs and events:

  1. In QRadar Console, select the Log Activity tab, stop the events flow by clicking Pause (Pause icon in QRadar.) in the upper-right area of the window, and then double-click any event that has an incorrect name and "KL_Threat_Feed_Service_v2" in the Log Source column.

    Stop the events flow in QRadar Console.

    Stop the events flow

    The event information will be displayed. The event name will be contained in Payload information.

  2. Click the Map Event button.

    Event Information window in QRadar.

    Browsing event information

  3. In the Log Source Event window in the QID/Name text box, type the event name. It must be one of the QIDs imported to QRadar.
  4. Click Search.

    One result will be displayed in the Matching QIDs table.

    Log Source Event window in QRadar.

    Adding the correspondence between a QID and an event name

  5. Select the table row, and then click OK.
  6. Perform steps 3, 4, and 5 for all event types (imported QIDs).
  7. To ensure that events and QIDs are mapped correctly, repeat the procedure for sending a set of events to QRadar. The Log Activity page must not contain any event with an incorrect name.

    Log Activity page without "unknown" events.

    Log without "unknown" events

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.