Why is the EDR event not parsing correctly in QRadar?
search cancel

Why is the EDR event not parsing correctly in QRadar?

book

Article ID: 221983

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

  • The Symantec EDR event is not parsing correctly in the EDR App for QRadar.
  • Some fields in the event information of the Symantec EDR App for QRadar may not display information originally shown in the event payload in EDR.
  • Why is the SHA2 field not displaying in QRadar?

Environment

  • Symantec EDR App for QRadar version 1.5
  • All versions of Symnatec EDR 

Cause

The Symantec EDR device support module (DSM) is not assigning the event names and categories correctly.  The EDR events to QID mappings are not stored or configured correctly in the App.

See below image, the sha2 is not displaying for its corresponding EDR event because the proper mapping is not configured.

Resolution

The file sha_2  property name is used as the example here.  It is required that the EDR event being forwarded have the corresponding property name field populated with valid data before following these steps for any property that is not being displayed correctly.  This will only apply to new events that are being received by the Symantec EDR app for QRadar after the corresponding property name is changed using the following steps.

  1. Open the DSM editor in QRadar
  2. click to add an expression under file_sha2
  3. Add an expression type regex and the expression "sha2": "([\S\s]+?)"

  4. Click to save
  5. The sha2 should now be displayed for new events forwarded from EDR that include this property in the original event being forwarded.

Additional Information

The article Symantec EDR App for QRadar 1.5.0 includes a PDF attachment which includes the documentation written for the Symantec EDR App for QRadar.  The Symantec_EDR_app_for_QRadar_1.5.0.pdf includes a list of custom regular expressions that can be used to correct similar issues with other event properties that are not being displayed as expected.  The supported property names and regular expressions are listed on pages 9 - 12.
https://knowledge.broadcom.com/external/article/195233/

Example:

Powered by Wolken Software