One of the tasks that app developers will frequently encounter is the need to define new custom properties for a specific log source. When extracting a custom property from a log, it is critical that the regular expression be as efficient as possible, to reduce demands on the QRadar pipeline.

We recently ran a QRadar Open Mic on custom properties. Here is a link to the presentation and YouTube video. It is highly recommended that any app developer who is planning to ship a custom property, read these materials and watch the video, in order to lean best practices in this area.

As always, if you have any questions on this topic, please post them in the app development forum!

Join The Discussion

Your email address will not be published. Required fields are marked *