Cisco AMP

The IBM® QRadar® Cisco AMP content extension adds new custom event properties for Cisco AMP.

Note: The Parent Filename custom property was renamed to Parent Process Name in 1.0.1. If you have 1.0.0 of this extension installed, delete Parent Filename before you upgrade to the latest version.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Cisco AMP Content Extensions

IBM Security QRadar Cisco AMP Content Extension 1.1.0
IBM Security QRadar Cisco AMP Content Extension 1.0.3
IBM Security QRadar Cisco AMP Content Extension 1.0.2
IBM Security QRadar Cisco AMP Content Extension 1.0.1
IBM Security QRadar Cisco AMP Content Extension 1.0.0

IBM Security QRadar Cisco AMP Content Extension 1.1.0

Duplicated custom properties in the following custom properties are merged and set to use the Any/Any low level category.

MD5 Hash
Parent MD5
Parent SHA1 Hash
Parent SHA256 Hash
SHA1 Hash

The low level category for the Filename property is updated.

The Parent Hash property is removed.

_{(Back to top)}

IBM Security QRadar Cisco AMP Content Extension 1.0.3

The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco AMP Content Extension 1.0.3.

Table 1. Custom Properties in IBM Security QRadar Cisco AMP Content Extension 1.0.3
Name	Optimized	Capture Group	Regex
EventID	Yes	1	"event_type_id":\s(\d)

_{(Back to top)}

IBM Security QRadar Cisco AMP Content Extension 1.0.2

The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco AMP Content Extension 1.0.2.

Table 2. Custom Properties in IBM Security QRadar Cisco AMP Content Extension 1.0.2
Name	Optimized	Capture Group	Regex
MD5 Hash	Yes	1	"file":.?"md5":\s"([^"]*)"
SHA1 Hash	Yes	1	"file":.?"sha1":\s"([^"]*)"

_{(Back to top)}

IBM Security QRadar Cisco AMP Content Extension 1.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco AMP Content Extension 1.0.1.

Table 3. Custom Properties in IBM Security QRadar Cisco AMP Content Extension 1.0.1
Name	Optimized	Capture Group	Regex
Parent Process Name	Yes	1	"parent":.?"file_name":\s\"([^\"]*)"
SHA256 Hash	Yes	1	"file":.?"sha256":\s\"([^\"]*)"

_{(Back to top)}

IBM Security QRadar Cisco AMP Content Extension 1.0.0

The following table shows the custom properties in the IBM Security QRadar Cisco AMP 1.0.0 content extension.

Table 4. Custom Properties in Cisco AMP 1.0.0 content extension
Name	Optimized	Capture Group	Regex
Archived File Disposition	No	1	"archived_file":.?"disposition":\s\"([^\"]*)"
Archived File SHA256 Hash	No	1	"archived_file":.?"sha256":\s\"([^\"]*)"
Computer Name	No	1	"hostname":\s"([^\"])
Disposition	No	1	"file":.?"disposition":\s\"([^\"]*)"
EventID	No	1	"event_type_id":\s(\d)
File Directory	Yes Yes	1 1	"file":.?"file_path":\s\"([^\"])(?:\\\|\/)[^\\\/]" "description":"([^\"])(?:\\\|\/)[^\\\/]"
File Extension	Yes	1	"file":.?"file_name":\s\"[^\"\.]\.([^\"])"
File Hash	Yes	1	"file":.?"(?:sha256\|sha1\|md5)":\s\"([^\"]*)"
File Path	No No	1 1	"description":"(.?)" "file":.?"file_path":\s\"([^\"])"
Filename	Yes Yes	1 1	"file":.?"file_name":\s\"([^\"])" "description":"(?:.\|\\)\\(.*?)"
MD5 Hash	No	1	"file":.?"md5":\s\"([^\"]*)"
Parent Disposition	No	1	"parent":.?"disposition":\s\"([^\"]*)"
Parent Filename	No	1	"parent":.?"file_name":\s\"([^\"]*)"
Parent Hash	No	1	"parent":.?"(?:sha256\|sha1\|md5)":\s\"([^\"]*)"
Parent MD5	No	1	"parent":.?"md5":\s\"([^\"]*)"
Parent Process ID	No	1	"parent":.?"process_id":\s(\d*)
Parent SHA1 Hash	No	1	"parent":.?"sha1":\s\"([^\"]*)"
Parent SHA256 Hash	No	1	"parent":.?"sha256":\s\"([^\"]*)"
Reference Link	No	1	"trajectory":"([^\"]*)\",
SHA1 Hash	No	1	"file":.?"sha1":\s\"([^\"]*)"
SHA256 Hash	No	1	"file":.?"sha256":\s\"([^\"]*)"
Threat name	Yes	1	"detection":\s"([^\"])

_{(Back to top)}