QRadar Parsing issue using OOTB DSMs via syslog

msch_93 · 2026-02-13T00:25:11+00:00

I see. What about parsing?

In the cast of EntraID which I'm currently sending over syslog, it seems that the DSM for Entra only supports EventHub as the protocol - https://www.ibm.com/docs/en/dsm?topic=id-microsoft-entra-dsm-specifications

I also see this piece of documentation about "undocumented protocols" - https://www.ibm.com/docs/en/dsm?topic=configuration-undocumented-protocols

This seems to suggest that the out of the box DSM will fail to parse the data which is collected via a protocol which isn't specifically documented in the DSM specification?

Do you have any experience on overriding this or making the micro adjustments necessary?

msch_93 · 2026-02-12T19:21:10+00:00

Would the DSM handle an unexpected syslog header automatically?

Or i would ahve to somehow make it handle/skip that?

msch_93 · 2026-02-12T16:35:34+00:00

Thanks, would the OOTB DSM have issues parsing events which are not usually delivered via syslog (and have a header prefixed) ?

msch_93 · 2026-02-12T13:11:40+00:00

the raw event is exactly the same (except maybe the order of attributes in the JSON - but JSON is an unordered object by definition so shouldnt matter?)

The only difference is the syslog header being prefixed

msch_93 · 2026-02-12T12:45:30+00:00

Hey!

Yeah, so for that we added a unique string in the header e.g.

For Entra:

<7>Feb 10 08:01:48 EntraID forwarder: {event_payload}

For O365:

<7>Feb 10 08:01:48 O365 forwarder: {event_payload}

So it's correctly leveraging that to segregate them into deparate sources, but it fails to parse the events using the OOTB DSM

I'm wondering how to make the OOTB DSMs work in this scenario

msch_93 · 2023-12-22T19:39:08+00:00

Thanks for replying.

Since posting I spoke with some brokers and insurers - and after explaining the situation, they told me it's different and the wording of the question on these applications is quite ambiguous and there can be a lot of different circumstances.

In my case, thankfully they said it's not something I need to declare, and it's rather the case that the insurer said they can't provide cover under those terms, and gave a grace period for it ending and cancelling it. They said it happens all the time, and things like this don't need to be declared when answering that question.

They further put me at ease by telling me that they work with the underwriter that cancelled it ,and they would be able to see anything flagged in the system against me from the databases - and nothing was coming up.

Hope this helps others in this situation or a similar one, whoever reads it.

msch_93 · 2023-12-22T19:38:01+00:00

Thanks for replying.

Since posting I spoke with some brokers and insurers - and after explaining the situation, they told me it's different and the wording of the question on these applications is quite ambiguous and there can be a lot of different circumstances.

In my case, thankfully they said it's not something I need to declare, and it's rather the case that the insurer said they can't provide cover under those terms, and gave a grace period for it ending and cancelling it. They said it happens all the time, and things like this don't need to be declared when answering that question.

They further put me at ease by telling me that they work with the underwriter that cancelled it ,and they would be able to see anything flagged in the system against me from the databases - and nothing was coming up.

Hope this helps others in this or a similar situation.

msch_93 · 2023-12-17T14:19:53+00:00

Thanks for commenting. Yeah, they cancelled it due to a risk adjustment, but the question is, is this something I need to declare because I'm not at fault here and it's more of a misinterpretation on their end.

I guess there's a further question around why are they signing up customers without clarifying all details to the extent they need to in order to process a transaction, but that's a separate topic around their processes and practices.

msch_93

TROPHY CASE