Question 4
A client has configured a log source to forward events to IBM Security QRadar SIEM V7.2.7. It is recommended that the log source level be configured at the notice level by the DSM Guide, but the client has a policy to log all events at a debug level.
The Deployment Professional notices that the configured DSM is parsing most events, but some are being labeled as stored. The client is very interested in correlating some of the events that are being stored.
What should be created to meet this client's goal?
Custom DSM for parsing overrule
Custom DSM for parsing enhancement
Correct answer: D
Explanation:
Parsing Enhancement - When the DSM is unable to parse correctly and the event is categorized as stored, the selected log source extension extends the failing parsing by creating a new event as if the new event came from the DSM. References: IBM Security QRadar SIEM Version 7.1.0 MR1, Log Sources User Guide, page 6
Parsing Enhancement - When the DSM is unable to parse correctly and the event is categorized as stored, the selected log source extension extends the failing parsing by creating a new event as if the new event came from the DSM.
References: IBM Security QRadar SIEM Version 7.1.0 MR1, Log Sources User Guide, page 6