Microsoft ISA
Use the IBM Security QRadar Custom Properties for Microsoft ISA to closely monitor your Microsoft ISA deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| BytesReceived | Yes | 1 | sc-bytes=(\d+) (?i)Bytes Received=(\d+) |
| BytesSent | No | 1 | (?i)Bytes Sent=(\d+) cs-bytes=(\d+) |
| Error Code | Yes | 1 | error-info=(.*?)\t (?i)Error info=(.*?)\t |
| Hostname | Yes | 1 | (?i)Server Name=(.*?)\t r-host=(.*?)\t |
| Method | No | 1 | (?i)HTTP Method=(.*?)\t s-operation=(.*?)\t |
| Referrer URL | Yes | 1 | cs-referred=(.*?)\t (?i)Referring Server=(.*?)\t |
| Rule Name | Yes | 1 | rule=(.*?)\t (?i)Rule=(.*?)\t |
| Service Name | Yes | 1 | (?i)Service=(.*?)\t |
| URL | Yes | 1 | cs-uri=(.*?)\t (?i)URL=(.*?)\t |
| UrlHost | Yes | 1 | cs-uri=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/ (?i)URL=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/ |
| User Agent | Yes | 1 | (?i)Client Agent=(.*?)\t c-agent=(.*?)\t |