Microsoft IIS
Use the IBM® QRadar® Microsoft IIS Content Extension to closely monitor your Microsoft IIS deployment.
IBM Security QRadar Microsoft IIS Content Extension
IBM Security QRadar Microsoft IIS Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Referrer URL | Yes | 1 | [\s\t]([^\s\t]+)[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-|\d{1,3}\.) cs\(Referer\)[=\s\t]([^\s\t]+) |
Response Code | No | 1 | [\s\t](\d+)[\s\t]\d+[\s\t] sc-status[=\s\t](\d+) |
URLHost | Yes | 1 | cs-host[=\s\t]([^\s\t]+)\/ ClientId.*\s+(?:-|\d{1,3}\/)\s+([^\s\t]+)\/ |
IBM Security QRadar Microsoft IIS Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Microsoft IIS Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
BytesReceived | Yes | 1 | [\s\t](\d+)[\s\t]\d+[\s\t]\d+[\s\t](?:-|\d{1,3}\.) sc-bytes[=\s\t](\d+) |
BytesSent | Yes | 1 | cs-bytes[=\s\t](\d+) [\s\t](\d+)[\s\t]\d+[\s\t](?:-|\d{1,3}\.) |
Elapsed Time | No | 2 1 |
[\s\t](\d+)[\s\t](\d+)[\s\t](?:-|\d{1,3}\.) time-taken[=\s\t](\d+) |
Method | No | 1 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)[\s\t] cs-method[=\s\t]([^\s\t]+) |
Originating Host | Yes | 1 | X-Forwarded-For[=\s\t]([^=\s\t]+) [\s\t](\d+)[\s\t]\d+[\s\t](-|(?:\d{1,3}\.){3}\d{1,3}) |
Referrer URL | No | 1 | [\s\t]([^\s\t]+)[\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-|\d{1,3}\.) cs\(Referer\)[=\s\t]([^\s\t]+) |
URL Path | No | 2 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)[\s\t]([^\s\t]+) cs-uri-stem[=\s\t]([^\s\t]+) |
URL Query String | No | 2 | cs-uri-query[=\s\t]([^\s\t]+) (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)[\s\t]([^\s\t]+)[\s\t]([^\s\t]+) |
URLHost | Yes | 1 | cs-host[=\s\t]([^\s\t]+) [\s\t]([^\s\t]+)[\s\t](\d+[\s\t]){6}(?:-|\d{1,3}\.) |
User Agent | No | 2 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE).*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\s\t]\S+[\s\t]([^\s\t]+) cs\(User-Agent\)[=\s\t]([^\s\t]+) |