Hello @Fidel Castro Armario ,
We have a client that receives alerts with same Summary "Qradar Offense Alert" and they need to parse line from Description value in the Description field and make it as a Summary.
I achieved it with Leading Delimiter: Description:\s and Trailing Delimiter: \sEvent count.
But the trick is we have 3 types of Description content like you see in the screenshot and they are:
1) Description: Non-Browser Client
2) Description: Exploit Followed by Suspicious Host Activity - Chained containing Success Audit: The domain controller validated the credentials for an account
3) Description: Resolving Error preceded by Built UDP connection
First one works well with above delimiters I provided but for 2nd and 3rd it parses full Description where we only need "Exploit Followed by Suspicious Host Activity - Chained" and "Resolving Error" and nothing after "containing" and "preceded" keywords.
Please let me know if I you are able to understand by requirement.