Bit9 Security Platform

The security content pack adds custom event properties to the Bit9 Security Platform appliance.

IBM Security QRadar SIEM uses JDBC to collect events from Bit9 Security Platform for standard auditing, authentication, and system events. This security content pack contains custom event properties for important fields that can be leveraged by administrators in reports or searches. The content pack RPM adds the custom event properties on top of the existing custom event properties that are provided with QRadar.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Bit9 Security Platform Content Extension V1.0.2

The following table shows the custom properties that were updated in IBM Security QRadar Bit9 Security Platform Content Extension V1.0.2.

Table 1. Updated Custom Properties in IBM Security QRadar Bit9 Security Platform Content Extension V1.0.2
Name	Optimized
Message	No

IBM Security QRadar Bit9 Security Platform Content Extension V1.0.1

The following table shows the custom properties that were updated in IBM Security QRadar Bit9 Security Platform Content Extension V1.0.1.

Table 2. Updated Custom Properties in IBM Security QRadar Bit9 Security Platform Content Extension V1.0.1
Name	Optimized	Capture Group	Regex
Ban Name	Yes	1	banName=([^\t]+)[\t]*
Destination Host Name	Yes	1	dstHostName=([^\t]+)[\t]*
External ID	Yes	1	externalId=([^\t]+)[\t]*
File Hash	Yes	1	fileHash=([^\t]+)[\t]*
File ID	Yes	1	fileId=([^\t]+)[\t]*
File Path	No	1	filePath=([^\t]+)[\t]*
File Threat	Yes	1	fileThreat=([^\t]+)[\t]*
File Trust	Yes	1	fileTrust=([^\t]+)[\t]*
Filename	Yes	1	fileName=([^\t]+)[\t]*
Indicator Name	No	1	indicatorName=([^\t]+)[\t]*
Installer Filename	Yes	1	installerFileName=([^\t]+)[\t]*
Message	Yes	1	msg=([^\t]+)[\t]*
Parity Policy	Yes	1	policy=([^\t]+)[\t]*
Process Key	Yes	1	processKey=([^\t]+)[\t]*
Process Threat	Yes	1	processThreat=([^\t]+)[\t]*
Process Trust	Yes	1	processTrust=([^\t]+)[\t]*
Received Time	Yes	1	receivedTime=([^\t]+)[\t]*
Root Hash	Yes	1	rootHash=([^\t]+)[\t]*
Rule Name	Yes	1	ruleName=([^\t]+)[\t]*
Source Host Name	Yes	1	srcHostName=([^\t]+)[\t]*
Source Process	Yes	1	srcProcess=([^\t]+)[\t]*
Updater Name	No	1	updaterName=([^\t]+)[\t]*

IBM Security QRadar Bit9 Security Platform Content Extension V1.0.0

The following table shows the custom properties in IBM Security QRadar Bit9 Security Platform Content Extension V1.0.0.

Table 3. Custom Properties in IBM Security QRadar Bit9 Security Platform Content Extension V1.0.0
Name	Description
Ban Name	Ban name that identifies why the Bit9 Agent blocked an access to a file.
Indicator Name	Name of the threat indicator associated with the event; if present.
File Threat	File threat from the Bit9 SRS of the file associated with the event. Pending implies that SRS lookup was not yet performed. This is a numeric value: -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious.
File Trust	File trust from the Bit9 SRS of the file associated with the event. Pending implies that SRS lookup was not yet performed. This is a numeric value: -2 pending -1 unknown 0-10 Trust value.
Process Key	Unique proprietary key identifying the instance of the process on a specific computer.
Process Threat	Process threat from the Bit9 SRS of the process associated with the event. Pending implies that SRS lookup was not yet performed but will be.
Process Trust	Process trust from the Bit9 SRS of the process associated with the event. Pending implies that SRS lookup was not yet performed but will be.
Updater Name	Updater name related to the event.