Creating a Custom Property
Create a custom property to extract data that JSA does not typically show from the event or flow payloads. Custom properties must be enabled, and extraction-based custom properties must be parsed, before you can use them in rules, searches, reports, or for offense indexing.
JSA includes a number of existing custom event properties that are not enabled or parsed by default. Ask your administrator to review the custom event property that you want to create to ensure that it does not exist.
To create custom event properties, you must have the User Defined Event Properties permission. To create custom flow properties, you must have the User Defined Flow Properties permission.
Users with administrative capabilities can create custom event and flow properties by selecting Custom Event Properties or Custom Event Properties on the Admin tab.
Although multiple default custom properties might have the same name and the same log source, they can have different regex expressions, event names, or categories. For example, there are multiple custom properties for Microsoft Windows Security Event Log called AccountName, but each one is defined by a unique regex expression.
- Click the Log Activity tab or the Network Activity tab.
- If you are viewing the events or flows in streaming mode, click the Pause icon to pause streaming.
- Double-click the event or flow that contains the data that you want to extract, and then click Extract Property.
- In the Property Type Selection pane, select the type of custom property that you want to create.
- Configure the custom property parameters.
Click the help icon to see information about the custom property parameters.
- If you are creating an extraction-based custom property,
click Parse in advance for rules, reports, and searches.
Optional: Click Test to test the expression against the payload.
- Click Save.
Use the enabled custom properties in custom rules, searches, offense indexing, and reporting.
To use the custom property in a search, you must select it from the list of available columns when you define the search criteria.