Carbon Black Response
The Carbon Black Response extension for QRadar® adds new custom event properties for Carbon Black Response Payload.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM® Fix Central
(https://www.ibm.com/support/fixcentral).
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.3
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.2
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.1
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.0
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.3
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| MD5 Hash | Yes | 1 | \smd5=([^\t]+) |
| SHA256 Hash | Yes | 1 | sha256=([^\t]+) |
| Process Id | Yes | 1 | \spid=([^\t]+) |
The File Hash custom property has been removed.
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.2
The following table shows the custom properties updated in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Process Path | Yes | 1 | process_path=([^\t]+) |
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.1
The following table shows the custom properties updated in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Process Name | Yes | 1 | process_name=([^\t]+) |
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Alert Type | No | 1 | alert_type=([^\t]+) |
| Command Line | Yes | 1 | (?:command_line|cmdline)=“?([^\t]+)“? |
| CB Server | No | 1 | cb_server=([^\t]+) |
| Computer Name | Yes | 1 | computer_name=([^\t]+) |
| Domain | No | 1 | domain=([^\t]+) |
| Feed Name | No | 1 | feed_name=([^\t]+) |
| File Hash | Yes | 1 | sha256=([^\t]+) |
| Hostname | Yes | 1 | hostname=([^\t]+) |
| Local IP | No | 1 | local_ip=([^\t]+) |
| OS Vendor | Yes | 1 | os_type=([^\t]+) |
| Process Id | No | 1 | \spid=([^\t]+) |
| Parent GUID | No | 1 | parent_guid=([^\t]+) |
| Parent MD5 | No | 1 | parent_md5=([^\t]+) |
| Parent Process ID | No | 1 | parent_pid=([^\t]+) |
| Parent Path | No | 1 | parent_path=([^\t]+) |
| Parent Process Guid | No | 1 | parent_process_guid=([^\t]+) |
| Path | No | 1 | \spath=([^\t]+) |
| Process CommandLine | Yes | 1 | (?:command_line|cmdline)="?([^\t]+)"? |
| Process Direction | No | 1 | direction=([^\t]+) |
| Process Guid | No | 1 | \sprocess_guid=([^\t]+) |
| Process Name | Yes | 1 | process_name=([^\t]+) |
| Process Path | No | 1 | process_path=([^\t]+) |
| Proxy Domain | Yes | 1 | proxy_domain=([^\t]+) |
| Proxy IP | No | 1 | proxy_ip=([^\t]+) |
| Remote IP | No | 1 | remote_ip=([^\t]+) |
| Server Name | Yes | 1 | (?:-ServerName:|server_name=)([^\t]+) |
| Type | No | 1 | \stype=([^\t]+) |
| Unique ID | No | 1 | (?:\suid|unique_id)=([^\t]+) |
| Watchlist Name | No | 1 | watchlist_name=([^\t]+) |
| Watchlists | No | 1 | watchlists=([^\t]+) |