Carbon Black Response
The Carbon Black Response extension for QRadar adds new custom event properties for Carbon Black Response Payload.
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.3
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.2
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.1
- IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.0
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.3
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
MD5 Hash | Yes | 1 | \smd5=([^\t]+) |
SHA256 Hash | Yes | 1 | sha256=([^\t]+) |
Process Id | Yes | 1 | \spid=([^\t]+) |
The File Hash custom property has been removed.
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.2
The following table shows the custom properties updated in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Process Path | Yes | 1 | process_path=([^\t]+) |
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.1
The following table shows the custom properties updated in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Process Name | Yes | 1 | process_name=([^\t]+) |
IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Carbon Black Response Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Alert Type | No | 1 | alert_type=([^\t]+) |
Command Line | Yes | 1 | (?:command_line|cmdline)=“?([^\t]+)“? |
CB Server | No | 1 | cb_server=([^\t]+) |
Computer Name | Yes | 1 | computer_name=([^\t]+) |
Domain | No | 1 | domain=([^\t]+) |
Feed Name | No | 1 | feed_name=([^\t]+) |
File Hash | Yes | 1 | sha256=([^\t]+) |
Hostname | Yes | 1 | hostname=([^\t]+) |
Local IP | No | 1 | local_ip=([^\t]+) |
OS Vendor | Yes | 1 | os_type=([^\t]+) |
Process Id | No | 1 | \spid=([^\t]+) |
Parent GUID | No | 1 | parent_guid=([^\t]+) |
Parent MD5 | No | 1 | parent_md5=([^\t]+) |
Parent Process ID | No | 1 | parent_pid=([^\t]+) |
Parent Path | No | 1 | parent_path=([^\t]+) |
Parent Process Guid | No | 1 | parent_process_guid=([^\t]+) |
Path | No | 1 | \spath=([^\t]+) |
Process CommandLine | Yes | 1 | (?:command_line|cmdline)="?([^\t]+)"? |
Process Direction | No | 1 | direction=([^\t]+) |
Process Guid | No | 1 | \sprocess_guid=([^\t]+) |
Process Name | Yes | 1 | process_name=([^\t]+) |
Process Path | No | 1 | process_path=([^\t]+) |
Proxy Domain | Yes | 1 | proxy_domain=([^\t]+) |
Proxy IP | No | 1 | proxy_ip=([^\t]+) |
Remote IP | No | 1 | remote_ip=([^\t]+) |
Server Name | Yes | 1 | (?:-ServerName:|server_name=)([^\t]+) |
Type | No | 1 | \stype=([^\t]+) |
Unique ID | No | 1 | (?:\suid|unique_id)=([^\t]+) |
Watchlist Name | No | 1 | watchlist_name=([^\t]+) |
Watchlists | No | 1 | watchlists=([^\t]+) |