In the context of QRadar, what are "derived properties"?

Derived properties in QRadar refer to attributes that are extracted from raw log data during the processing and normalization stages. These properties are created by QRadar’s parsing logic, allowing the system to convert raw log entries into a structured format that can be easily analyzed and queried. For instance, if a log entry includes information such as IP addresses, user IDs, and event types, derived properties will extract and categorize these elements, enabling precise searches and reporting within QRadar’s user interface.

While predefined settings, manually assigned values, and static analysis parameters might have their respective roles within the QRadar ecosystem, they do not constitute derived properties. Derived properties are specifically tied to the information QRadar extracts and formulates based on incoming log data, which enhances the platform's capability to provide insights and facilitate investigations based on the structured data it creates from unstructured log sources. This fundamental aspect is critical for effective security event management, as it aids in identifying patterns, generating alerts, and fulfilling compliance requirements.