Verifying CEF Event mapped on qRadar as Asset ManagerSpectreCustom_ext event

To confirm that Asset Manager CEF events mapped successfully to qRadar  . . .

  1. First, verify log activity on qRadar.
  2. Confirm that the Event Names you see listed are similar to this sample and properly represent events generated by Asset Manager.

  3. Verify that the Log Source is Asset Manager.
  4. Verify that the Low Level Category is set to Information.
  5. Verify that the Source IP is set to the Asset Manager Command Center's IP.
  6. Double-click any Event and you will see the screen as below.
  7. Verify that the custom labels: Device Product, Device Vendor, Device Version, c6a3, cn1, cn1Label, dhost, suser are set to values as defined in in the CEF to qRadar Property Mapping.
  8. Verify Payload Information shows the CEF event format.