Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] How to Create Custom QIDs

0

0

Article ID: KB14995 KB Last Updated: 30 Nov 2019Version: 3.0
Summary:

All events are mapped to Pre-defined Unique Identifiers (QIDs). It could be necessary to create custom QIDs. 

Symptoms:
  • Event Maps to wrong QID
  • There are no QIDs for my events
  • How to map Events to Custom QIDs
Solution:

When an event is received, it is parsed and mapped to a QID (Unique ID that identifies type of event).  There might be some instances when these events are mapped incorrectly or there are no QIDs for the event type. In such situations custom QIDs can be created and events be mapped to them.

To Create a Custom QID 

Identify the Low-Level Category under which you want to create the custom QID   The following example shows how to create a custom QID under a low-level category Authentication:

  1. Login to the CLI and find the QID (first column) for the low-level category.
    [root@strm500-2 log]# /opt/qradar/bin/qidmap_cli.sh -l | grep Authentication
    3001        Unknown Authentication                                      Authentication      
    3002        Host Login Succeeded                                        Authentication      
    3003        Host Login Failed                                           Authentication      
    3004        Misc Login Succeeded                                        Authentication      
    3005        Misc Login Failed                                           Authentication      
    3006        Privilege Escalation Failed                                 Authentication      
    3007        Privilege Escalation Succeeded                              Authentication      
    3008        Mail Service Login Succeeded                                Authentication      
    3009        Mail Service Login Failed                                   Authentication      
    3010        Auth Server Login Failed                                    Authentication      
    3011        Auth Server Login Succeeded                                 Authentication      
           
    [root@strm500-2 log]# 
  2. In the example below a new QIDMAP under Low-Level Category "Host Login Failed" is being created. 

    (Note: for display purposes, the quidmap_cli.sh command below is shown on two lines.  When entering the command, enter it all on one line.) 
    [root@strm2500-2 ~]# /opt/qradar/bin/qidmap_cli.sh -c --qname jtac_login_failed 
    --qdescription JTAC_FAILED_LOGINS_QID --severity 2 --lowlevelcategoryid 3003
    Created entry:
            qid: 2000002
            name: jtac_login_failed
            description: JTAC_FAILED_LOGINS_QID
            severity: 2
            low level category id: 3003
            ratethreshold: 0
            catpipename: Echo
            rateshortwindow: 0
            ratelongwindow: 0
            reverseip: false
            rateinterval: 0
    
  3. To verify custom QIDs created in the system, enter the following command:
    [root@strm2500-2 ~]# /opt/qradar/bin/qidmap_cli.sh -e
    2000002,jtac_login_failed,JTAC_FAILED_LOGINS_QID,2,3003
    2000001,jtac_login,JTAC_NEW_QID,2,3002
    [root@strm500-2 log]# 
  4. Now map the events to this new custom QID
    • Login to the web UI
    • Select the Event you want to map and double-click to open it

    • Open the event in the web UI and click on "Map Event"

    • Map the event to new QID created from the CLI:

    • In this example, all new Events for "Linux Misc Login Failed " will be mapped to "Jtac_login_failed"

Note: Creation of new Low Level Categories is not possible at this time.  Additionally, use extreme caution when creating custom QIDs as they cannot be deleted via the web UI or with the script if a mistake is made. If you absolutely have to delete a QID, please open a service request with JTAC for further assistance via MyJuniper Service Request Manager (MYJ-SRM).

Modification History:
2019-11-30: Minor non-technical update.
2019-11-14: Article reviewed for accuracy. No changes made. Article is correct and complete.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search