F5 Networks Big IP

Use the IBM® QRadar® F5 Networks Big IP Content Extension to closely monitor your F5 Networks Big IP deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar F5 Networks Big IP Content Extension

IBM Security QRadar F5 Networks Big IP Content Extension 1.0.3
IBM Security QRadar F5 Networks Big IP Content Extension 1.0.2
IBM Security QRadar F5 Networks Big IP Content Extension 1.0.1
IBM Security QRadar F5 Networks Big IP Content Extension 1.0.0

IBM Security QRadar F5 Networks Big IP Content Extension 1.0.3

The following table shows the custom properties in IBM Security QRadar F5 Networks Big IP Content Extension 1.0.3.

Table 1. Custom Properties in IBM Security QRadar F5 Networks Big IP Content Extension 1.0.3
Name	Optimized	Capture Group	Regex
Response Code	No	1	response_code="([^"]*)"

The HTTP Status Code custom property is deprecated. The new Response Code custom property can be used instead.

IBM Security QRadar F5 Networks Big IP Content Extension 1.0.2

The property type for the CEP Originating Host custom property is updated from IP to string.

IBM Security QRadar F5 Networks Big IP Content Extension 1.0.1

The following table shows the custom properties in IBM Security QRadar F5 Networks Big IP Content Extension 1.0.1.

Table 2. Custom Properties in IBM Security QRadar F5 Networks Big IP Content Extension 1.0.1
Name	Optimized	Capture Group	Regex
Request URI	Yes	1	uri="([^"]*)"

IBM Security QRadar F5 Networks Big IP Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar F5 Networks Big IP Content Extension 1.0.0.

Table 3. Custom Properties in IBM Security QRadar F5 Networks Big IP Content Extension 1.0.0
Name	Optimized	Capture Group	Regex
Action Result	No	1	request_status="([^"]*)"
Alert Severity	No	1	severity="([^"]*)"
Client Hostname	No	1	unit_hostname="([^"]*)"
HTTP Status Code	No	1	response_code="([^"]*)"
Location	No	1	geo_location="([^"]*)"
Originating Host	Yes	1	x_forwarded_for_header_value="([^"]*)"
Policy Name	Yes	1	policy_name="([^"]*)"
Request	No	1	request="([^"]*)"
Request Method	No	1	method="([^"]*)"
Request URI	No	1	uri="([^"]*)"
Sub-Violations	No	1	sub_violations="([^"]*)"
Threat Name	Yes	1	virus_name="([^"]*)"
Threat Severity	No	1	violation_rating="([^"]*)"
Threat Type	No	1	attack_type="([^"]*)"
URL Query String	No	1	query_string="([^"]*)"
Violation Signatures	No	1	,sig_names="([^"]*)"
Violation Type	No	1	violations="([^"]*)"
Web Application Name	No	1	web_application_name="([^"]*)"