Microsoft Windows (German)

Use the IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension to closely monitor your German language Microsoft Windows deployment.

This content extension is for use with the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension. The custom properties in this content extension are used for parsing German language logs.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2

The following table shows the custom properties that were updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2.

Table 1. Custom Properties updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2
Name Custom property ID Optimized Capture group Regex
Group Name cbea4bef-be53-49ba-ac62-32b81fcd0aaf Yes 1 (?:Gruppenname|Zielkontoname)[:=\s\\]+(.*?)\s+(?:Gruppendomäne|Zieldomäne|Gruppe:|&&)
Group Domain 507657c6-d092-4fb9-96e8-55ebd72d127f No 1 (?:Gruppendomäne|Zieldomäne)[:=\s\\]+([^\s]+)
Group Security ID 6065a1df-fdec-405e-b232-6beaafddd6eb No 1 Gruppe[:\s]*Sicherheits-ID[:=\s\\]+(.*?)\s+(?:Gruppenname|Gruppe:|Kontoname|&&)
Machine Identifier 002a5618-8f44-41bc-b5aa-bc02153a7d84 Yes 1

Arbeitsstationsname[:\s\\=]+([^\s&]+)\s+Quellnetzwerkadresse

Benutzerarbeitsstationen[:\s]*(.*?)\s+Letzte Kennwortänderung:

IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1

The following table shows the custom property expression that is updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1.

Table 2. Custom property expression updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1
Name Regex expression ID Optimized Capture Group Regex
Objekttyp 3b8e4e0b-a18f-4ff9-b85f-4b8c09898617 Yes 1 Objekttyp[:\s\\=]File[\s\t]+Objektname[:\s\=].[^.\s]\.(?![0-9]{1,2}\.)([^\\]*?)\s(?:Handle-ID|&&)

The following table shows the custom properties that were updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1.

Table 3. Custom Properties updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1
Previous property name Updated property name Previous property ID Updated property ID
AccountName Account Name DEFAULTCUSTOMEVENT15 a8dee00c-b85f-4b15-bb68-fc8c83f82530
Computer Name Machine Identifier b30ceb37-a5b7-48e5-9a7e-85efba5d2c85 002a5618-8f44-41bc-b5aa-bc02153a7d84
GroupID Group ID DEFAULTCUSTOMEVENT17  
Initiator User Name Initiator Username 40d41417-9594-4e68-be99-7ccd5a828f4c  
ObjectType Object Type DEFAULTCUSTOMEVENT13  
Target User Name Target Username e7da1cc0-5bf0-48de-86a9-6af817266c7f  
User Workstations Machine Identifier 25193ca6-9537-4412-bf5c-598d7c70dc8e 002a5618-8f44-41bc-b5aa-bc02153a7d84

IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0.

Table 4. Custom Properties in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0
Name Optimized Capture Group Regex
AccountName Yes 1 Kontoname:\s*(.+?)\s+ Kontodomäne:\s*(.+?)\s+
Computer Name No 1 Arbeitsstationsname[:\s\\=]+([^\s&]+)\s+Quellnetzwerkadresse
File Directory Yes 1 Objekttyp[:\s\\=]+File[\s\t]+Objektname[:\s\=]+(.*?)\\[^\\]*?\s+(?:Handle-ID|&&)
File Extension Yes 1 Objektname:\s+.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle
Filename Yes 1 Objekttyp[:\s\\=]+File[\s\t]+Objektname[:\s\=]+.*?\\([^\\]*?)\s+(?:Handle-ID|&&)
Group Domain No 1 (?:Gruppendomäne|Zieldomäne)[:=\s\\]+([^\s]+)
Group Name Yes 1 ?:Gruppenname|Zielkontoname)[:=\s\\]+(.*?)\s+(?:Gruppendomäne|Zieldomäne|Gruppe:|&&)
Group Security ID No 1 Gruppe[:\s]*Sicherheits-ID[:=\s\\]+(.*?)\s+(?:Gruppenname|Gruppe:|Kontoname|&&)
GroupID Yes 1 Gruppen-ID[:\s\\=]*(\d+)
Home Directory No 1 Stammverzeichnis[:\s]*(.*?)\s+Stammlaufwerk:
Initiator User Name Yes 1 Antragsteller.*?Kontoname[\:\\\=\s]+(.*?)\s+(?:Kontodomäne|&&)
Logon Type Yes 1 Anmeldetyp[:\s\\=]+(\d+)
Object Type Yes 1 Objekttyp[:\s\\=]*([^\s&]*)
Process Name Yes 1 Prozessname[:\s\\=]+(?:.*\\)?(.*?)\s+(?:Netzwerkinformationen|\s|&&)

Prozessname: \s?.*\\([^\s]+)

SAM Account Name No 1 S(?:AM|am)-Kontoname[:\s]*(.*?)\s+Anzeigename:
Target Account Security ID No 1 Neues Konto.*?Sicherheits-ID:[\:\\\=\s]+(.*?)\s+(?:Kontoname|&&)

Mitglied[\:\s]+(?:Sicherheits-)?ID[\:\s\\=]+(.*?)\s+(?:Kontoname|&&)

Zielkonto.*?ID[:\s\\=]+(.*?)\s+(?:Kontoname|Kontodomäne|&&)

Neue Anmeldung.*?Sicherheits-ID:[\:\\\=\s]+(.*?)\s+(?:Kontoname|&&)

Target User Domain No 1 Neues Konto.*?Kontodomäne[\:\\\=\s]+([^\s]+)

Neue Anmeldung:.*?Kontodomäne[\:\\\=\s]+([^\s]+)

Zielkonto.*?domäne[\:\\\=\s]+([^\s]+)

Target User Name Yes 1 Neues Konto.*?name:[\:\\\=\s]+(.*?)\s+(?:Kontodomäne:|&&)

Neue Anmeldung.*?name:[\:\\\=\s]+(.*?)\s+(?:Kontodomäne:|&&)

Zielkonto.*?name[\:\\\=\s]+(.*?)\s+(?:Kontodomäne:|Zieldomäne:|&&)

User Domain No 1 Antragsteller.*?domäne[\:\\\=\s]{2,}([^\s]+)
User Principal Name No 1 Benutzerprinzipalname[:\s]*(.*?)\s+Stammverzeichnis:
User Workstations No 1 Benutzerarbeitsstationen[:\s]*(.*?)\s+Letzte Kennwortänderung: