Microsoft Sharepoint

Use the IBM® QRadar® Microsoft Sharepoint Content Extension to closely monitor your Microsoft Sharepoint deployment.

IBM Security QRadar Microsoft Sharepoint Content Extension 1.0.1

Updated the content extension to allow it to be installed on earlier QRadar versions than 7.3.3. Fix Pack 3.

IBM Security QRadar Microsoft Sharepoint Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Microsoft Sharepoint Content Extension 1.0.0.

Table 1. Custom Properties in IBM Security QRadar Microsoft Sharepoint Content Extension 1.0.0
Name Optimized Capture Group Regex
Administrator ID Yes 1 label[=Administrator ID"\\]+value["\\=]+"(.*?)[\\]"
Administrator Name Yes 1 label[=Administrator Name"\\]+value["\\=]+"(.*?)[\\]"
Audit Flags Yes 1 label[=New Audit Policy"\\]+value["\\=]+"(.*?)[\\]"
Content Information No 1 label[=Object Title"\\]+value["\\=]+(.*?)\\[^\\]
EventID Yes 1 \/event\.aspx\?eventid=(\d+)[\\"]
File Directory Yes 1 label[=Object URL"\\]+value[\\"=]+(.*?)\/[^\/]*?[\\"]+\|name

\"Object URL\\\"\svalue=\\"(n\/a|(?!n\/a).*?)[\\\/][^\/]*?[\\"]+\|name

label[=Object URL"\\]+value[\\"\/=]+(.*?)\/[^\/]*?[\\"]+(?:name|)

File Extension Yes 1

\"Object URL\\\"\svalue=\\"[^"]*?\.(n\/a|(?!n\/a)[^"\\]*)

\"Object URL\\\"\svalue=\\"[^"]*?\.([^"\\]*)

label[=Object URL"\\]+value["\\=]+"[^"]*?\.([^"\\]*)

Filename Yes 1 label[=Object URL"\\]+value["\\=]+.*?\/([^\/]*?)\\+

\"Object URL\\\"\svalue=\\\".*?(n\/a|(?!n\/a)[^\/]*?)\\+

Group Name Yes 1 label[=Group Name\s"\\]+value["\\=]+(.*?)\\[^\\]
GroupID Yes 1 label[=Group ID\s"\\]+value[=\\"]+(\d+)
ObjectType Yes 1 label[=Object Type"\\]+value["\\=]+(.*?)\\[^\\]
Parent Content Information Yes 1 \"Parent Object Title\\\"\svalue=\\\"(.*?)\\[^\\]
Parent File Directory Yes 1 \"Parent Object URL\\\"\svalue=\\"(n\/a|(?!n\/a).*?)\/[^\/]*?[\\"]+\|name
Parent File Extension Yes 1 \"Parent Object URL\\\"\svalue=\\"[^"]*?\.(n\/a|(?!n\/a)[^"\\]*)
Parent Filename Yes 1 \"Parent Object URL\\\"\svalue=\\\".*?(n\/a|(?!n\/a)[^\/]*?)\\+
Parent Object Type Yes 1 \"Parent Object Type\\\"\svalue=\\\"(.*?)\\[^\\]
Role Name Yes 1 label[=Permissions Role Name"\\]+value["\\=]+"(.*?)[\\]"
Target User ID Yes 1 label[=Member ID"\\]+value["\\=]+(\d+)[\\]"
Target User Name Yes 1 label[=Target Name"\\]+value["\\=]+"(.*?)[\\]"

label[=Member Name"\\]+value["\\=]+"(.*?)[\\]"

URL Yes 1 label[=\sSite"\\]+value["\\=]+"(.*?)[\\]"