Microsoft IIS

Use the IBM Security QRadar Microsoft IIS Content Extension to closely monitor your Microsoft IIS deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Microsoft IIS Content Extension

IBM Security QRadar Microsoft IIS Content Extension 1.0.2
IBM Security QRadar Microsoft IIS Content Extension 1.0.1
IBM Security QRadar Microsoft IIS Content Extension 1.0.0

IBM Security QRadar Microsoft IIS Content Extension 1.0.2

The following table shows the custom properties that were updated in IBM Security QRadar Microsoft IIS Content Extension 1.0.2.

Table 1. Custom Properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.2
Old Property Name	New Property Name
BytesSent	Bytes Sent
BytesReceived	Bytes Received
Referrer URL	URL Referrer
UrlHost	URL Host
Originating Host	Sender Host

IBM Security QRadar Microsoft IIS Content Extension 1.0.1

The following table shows the custom properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.1.

Table 2. Custom Properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.1
Name	Optimized	Capture Group	Regex
Referrer URL	Yes	1	[\s\t]([^\s\t]+)[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-\|\d{1,3}\.) cs\(Referer\)[=\s\t]([^\s\t]+)
Response Code	No	1	[\s\t](\d+)[\s\t]\d+[\s\t] sc-status[=\s\t](\d+)
URLHost	Yes	1	cs-host[=\s\t]([^\s\t]+)\/ ClientId.*\s+(?:-\|\d{1,3}\/)\s+([^\s\t]+)\/

IBM Security QRadar Microsoft IIS Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.0.

Table 3. Custom Properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.0
Name	Optimized	Capture Group	Regex
BytesReceived	Yes	1	[\s\t](\d+)[\s\t]\d+[\s\t]\d+[\s\t](?:-\|\d{1,3}\.) sc-bytes[=\s\t](\d+)
BytesSent	Yes	1	cs-bytes[=\s\t](\d+) [\s\t](\d+)[\s\t]\d+[\s\t](?:-\|\d{1,3}\.)
Elapsed Time	No	2 1	[\s\t](\d+)[\s\t](\d+)[\s\t](?:-\|\d{1,3}\.) time-taken[=\s\t](\d+)
Method	No	1	(GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)[\s\t] cs-method[=\s\t]([^\s\t]+)
Originating Host	Yes	1	X-Forwarded-For[=\s\t]([^=\s\t]+) [\s\t](\d+)[\s\t]\d+[\s\t](-\|(?:\d{1,3}\.){3}\d{1,3})
Referrer URL	No	1	[\s\t]([^\s\t]+)[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-\|\d{1,3}\.) cs\(Referer\)[=\s\t]([^\s\t]+)
URL Path	No	2	(GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)[\s\t]([^\s\t]+) cs-uri-stem[=\s\t]([^\s\t]+)
URL Query String	No	2	cs-uri-query[=\s\t]([^\s\t]+) (GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)[\s\t]([^\s\t]+)[\s\t]([^\s\t]+)
URLHost	Yes	1	cs-host[=\s\t]([^\s\t]+) [\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-\|\d{1,3}\.)
User Agent	No	2	(GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\s\t]\S+[\s\t]([^\s\t]+) cs\(User-Agent\)[=\s\t]([^\s\t]+)