Microsoft IIS

Use the IBM® QRadar® Microsoft IIS Content Extension to closely monitor your Microsoft IIS deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Microsoft IIS Content Extension

IBM Security QRadar Microsoft IIS Content Extension 1.0.1

The following table shows the custom properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.1.

Table 1. Custom Properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.1
Name Optimized Capture Group Regex
Referrer URL Yes 1 [\s\t]([^\s\t]+)[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-|\d{1,3}\.)

cs\(Referer\)[=\s\t]([^\s\t]+)
Response Code No 1 [\s\t](\d+)[\s\t]\d+[\s\t]

sc-status[=\s\t](\d+)
URLHost Yes 1 cs-host[=\s\t]([^\s\t]+)\/

ClientId.*\s+(?:-|\d{1,3}\/)\s+([^\s\t]+)\/

IBM Security QRadar Microsoft IIS Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.0.

Table 2. Custom Properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.0
Name Optimized Capture Group Regex
BytesReceived Yes 1 [\s\t](\d+)[\s\t]\d+[\s\t]\d+[\s\t](?:-|\d{1,3}\.)

sc-bytes[=\s\t](\d+)
BytesSent Yes 1 cs-bytes[=\s\t](\d+)

[\s\t](\d+)[\s\t]\d+[\s\t](?:-|\d{1,3}\.)
Elapsed Time No 2

1

 [\s\t](\d+)[\s\t](\d+)[\s\t](?:-|\d{1,3}\.)

time-taken[=\s\t](\d+)
Method No 1 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)[\s\t]

cs-method[=\s\t]([^\s\t]+)
Originating Host Yes 1 X-Forwarded-For[=\s\t]([^=\s\t]+)

[\s\t](\d+)[\s\t]\d+[\s\t](-|(?:\d{1,3}\.){3}\d{1,3})
Referrer URL No 1 [\s\t]([^\s\t]+)[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-|\d{1,3}\.)

cs\(Referer\)[=\s\t]([^\s\t]+)
URL Path No 2 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)[\s\t]([^\s\t]+)

cs-uri-stem[=\s\t]([^\s\t]+)
URL Query String No 2 cs-uri-query[=\s\t]([^\s\t]+)

(GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)[\s\t]([^\s\t]+)[\s\t]([^\s\t]+)
URLHost Yes 1 cs-host[=\s\t]([^\s\t]+)

[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-|\d{1,3}\.)
User Agent No 2 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\s\t]\S+[\s\t]([^\s\t]+)

cs\(User-Agent\)[=\s\t]([^\s\t]+)