Cisco AMP
The IBM® QRadar® Cisco AMP content extension adds new custom event properties for Cisco AMP.
IBM Security QRadar Cisco AMP Content Extensions
IBM Security QRadar Cisco AMP Content Extension 1.1.0
- MD5 Hash
- Parent MD5
- Parent SHA1 Hash
- Parent SHA256 Hash
- SHA1 Hash
The low level category for the Filename property is updated.
The Parent Hash property is removed.
IBM Security QRadar Cisco AMP Content Extension 1.0.3
The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco AMP Content Extension 1.0.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
EventID | Yes | 1 | "event_type_id":\s*(\d*) |
IBM Security QRadar Cisco AMP Content Extension 1.0.2
The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco AMP Content Extension 1.0.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
MD5 Hash | Yes | 1 | "file":.*?"md5":\s*"([^"]*)" |
SHA1 Hash | Yes | 1 | "file":.*?"sha1":\s*"([^"]*)" |
IBM Security QRadar Cisco AMP Content Extension 1.0.1
The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco AMP Content Extension 1.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Parent Process Name | Yes | 1 | "parent":.*?"file_name":\s*\"([^\"]*)" |
SHA256 Hash | Yes | 1 | "file":.*?"sha256":\s*\"([^\"]*)" |
IBM Security QRadar Cisco AMP Content Extension 1.0.0
The following table shows the custom properties in the IBM Security QRadar Cisco AMP 1.0.0 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Archived File Disposition | No | 1 | "archived_file":.*?"disposition":\s*\"([^\"]*)" |
Archived File SHA256 Hash | No | 1 | "archived_file":.*?"sha256":\s*\"([^\"]*)" |
Computer Name | No | 1 | "hostname":\s*"([^\"]*) |
Disposition | No | 1 | "file":.*?"disposition":\s*\"([^\"]*)" |
EventID | No | 1 | "event_type_id":\s*(\d*) |
File Directory | Yes Yes |
1 1 |
"file":.*?"file_path":\s*\"([^\"]*)(?:\\|\/)[^\\\/]*" "description":"([^\"]*)(?:\\|\/)[^\\\/]*" |
File Extension | Yes | 1 | "file":.*?"file_name":\s*\"[^\"\.]*\.([^\"]*)" |
File Hash | Yes | 1 | "file":.*?"(?:sha256|sha1|md5)":\s*\"([^\"]*)" |
File Path | No No |
1 1 |
"description":"(.*?)" "file":.*?"file_path":\s*\"([^\"]*)" |
Filename | Yes Yes |
1 1 |
"file":.*?"file_name":\s*\"([^\"]*)" "description":"(?:.*|\\)\\(.*?)" |
MD5 Hash | No | 1 | "file":.*?"md5":\s*\"([^\"]*)" |
Parent Disposition | No | 1 | "parent":.*?"disposition":\s*\"([^\"]*)" |
Parent Filename | No | 1 | "parent":.*?"file_name":\s*\"([^\"]*)" |
Parent Hash | No | 1 | "parent":.*?"(?:sha256|sha1|md5)":\s*\"([^\"]*)" |
Parent MD5 | No | 1 | "parent":.*?"md5":\s*\"([^\"]*)" |
Parent Process ID | No | 1 | "parent":.*?"process_id":\s*(\d*) |
Parent SHA1 Hash | No | 1 | "parent":.*?"sha1":\s*\"([^\"]*)" |
Parent SHA256 Hash | No | 1 | "parent":.*?"sha256":\s*\"([^\"]*)" |
Reference Link | No | 1 | "trajectory":"([^\"]*)\", |
SHA1 Hash | No | 1 | "file":.*?"sha1":\s*\"([^\"]*)" |
SHA256 Hash | No | 1 | "file":.*?"sha256":\s*\"([^\"]*)" |
Threat name | Yes | 1 | "detection":\s*"([^\"]*) |