Microsoft Windows (German)
Use the IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension to closely monitor your German language Microsoft Windows deployment.
This content extension is for use with the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension. The custom properties in this content extension are used for parsing German language logs.
IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2
The following table shows the custom properties that were updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2.
Name | Custom property ID | Optimized | Capture group | Regex |
---|---|---|---|---|
Group Name | cbea4bef-be53-49ba-ac62-32b81fcd0aaf | Yes | 1 | (?:Gruppenname|Zielkontoname)[:=\s\\]+(.*?)\s+(?:Gruppendomäne|Zieldomäne|Gruppe:|&&) |
Group Domain | 507657c6-d092-4fb9-96e8-55ebd72d127f | No | 1 | (?:Gruppendomäne|Zieldomäne)[:=\s\\]+([^\s]+) |
Group Security ID | 6065a1df-fdec-405e-b232-6beaafddd6eb | No | 1 | Gruppe[:\s]*Sicherheits-ID[:=\s\\]+(.*?)\s+(?:Gruppenname|Gruppe:|Kontoname|&&) |
Machine Identifier | 002a5618-8f44-41bc-b5aa-bc02153a7d84 | Yes | 1 |
Arbeitsstationsname[:\s\\=]+([^\s&]+)\s+Quellnetzwerkadresse Benutzerarbeitsstationen[:\s]*(.*?)\s+Letzte Kennwortänderung: |
IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1
The following table shows the custom property expression that is updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1.
Name | Regex expression ID | Optimized | Capture Group | Regex |
---|---|---|---|---|
Objekttyp | 3b8e4e0b-a18f-4ff9-b85f-4b8c09898617 | Yes | 1 | Objekttyp[:\s\\=]File[\s\t]+Objektname[:\s\=].[^.\s]\.(?![0-9]{1,2}\.)([^\\]*?)\s(?:Handle-ID|&&) |
The following table shows the custom properties that were updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1.
Previous property name | Updated property name | Previous property ID | Updated property ID |
---|---|---|---|
AccountName | Account Name | DEFAULTCUSTOMEVENT15 | a8dee00c-b85f-4b15-bb68-fc8c83f82530 |
Computer Name | Machine Identifier | b30ceb37-a5b7-48e5-9a7e-85efba5d2c85 | 002a5618-8f44-41bc-b5aa-bc02153a7d84 |
GroupID | Group ID | DEFAULTCUSTOMEVENT17 | |
Initiator User Name | Initiator Username | 40d41417-9594-4e68-be99-7ccd5a828f4c | |
ObjectType | Object Type | DEFAULTCUSTOMEVENT13 | |
Target User Name | Target Username | e7da1cc0-5bf0-48de-86a9-6af817266c7f | |
User Workstations | Machine Identifier | 25193ca6-9537-4412-bf5c-598d7c70dc8e | 002a5618-8f44-41bc-b5aa-bc02153a7d84 |
IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
AccountName | Yes | 1 | Kontoname:\s*(.+?)\s+ Kontodomäne:\s*(.+?)\s+ |
Computer Name | No | 1 | Arbeitsstationsname[:\s\\=]+([^\s&]+)\s+Quellnetzwerkadresse |
File Directory | Yes | 1 | Objekttyp[:\s\\=]+File[\s\t]+Objektname[:\s\=]+(.*?)\\[^\\]*?\s+(?:Handle-ID|&&) |
File Extension | Yes | 1 | Objektname:\s+.*?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]*?)\s+Handle |
Filename | Yes | 1 | Objekttyp[:\s\\=]+File[\s\t]+Objektname[:\s\=]+.*?\\([^\\]*?)\s+(?:Handle-ID|&&) |
Group Domain | No | 1 | (?:Gruppendomäne|Zieldomäne)[:=\s\\]+([^\s]+) |
Group Name | Yes | 1 | ?:Gruppenname|Zielkontoname)[:=\s\\]+(.*?)\s+(?:Gruppendomäne|Zieldomäne|Gruppe:|&&) |
Group Security ID | No | 1 | Gruppe[:\s]*Sicherheits-ID[:=\s\\]+(.*?)\s+(?:Gruppenname|Gruppe:|Kontoname|&&) |
GroupID | Yes | 1 | Gruppen-ID[:\s\\=]*(\d+) |
Home Directory | No | 1 | Stammverzeichnis[:\s]*(.*?)\s+Stammlaufwerk: |
Initiator User Name | Yes | 1 | Antragsteller.*?Kontoname[\:\\\=\s]+(.*?)\s+(?:Kontodomäne|&&) |
Logon Type | Yes | 1 | Anmeldetyp[:\s\\=]+(\d+) |
Object Type | Yes | 1 | Objekttyp[:\s\\=]*([^\s&]*) |
Process Name | Yes | 1 | Prozessname[:\s\\=]+(?:.*\\)?(.*?)\s+(?:Netzwerkinformationen|\s|&&) Prozessname: \s?.*\\([^\s]+) |
SAM Account Name | No | 1 | S(?:AM|am)-Kontoname[:\s]*(.*?)\s+Anzeigename: |
Target Account Security ID | No | 1 | Neues
Konto.*?Sicherheits-ID:[\:\\\=\s]+(.*?)\s+(?:Kontoname|&&) Mitglied[\:\s]+(?:Sicherheits-)?ID[\:\s\\=]+(.*?)\s+(?:Kontoname|&&) Zielkonto.*?ID[:\s\\=]+(.*?)\s+(?:Kontoname|Kontodomäne|&&) Neue Anmeldung.*?Sicherheits-ID:[\:\\\=\s]+(.*?)\s+(?:Kontoname|&&) |
Target User Domain | No | 1 | Neues Konto.*?Kontodomäne[\:\\\=\s]+([^\s]+) Neue Anmeldung:.*?Kontodomäne[\:\\\=\s]+([^\s]+) Zielkonto.*?domäne[\:\\\=\s]+([^\s]+) |
Target User Name | Yes | 1 | Neues Konto.*?name:[\:\\\=\s]+(.*?)\s+(?:Kontodomäne:|&&) Neue Anmeldung.*?name:[\:\\\=\s]+(.*?)\s+(?:Kontodomäne:|&&) Zielkonto.*?name[\:\\\=\s]+(.*?)\s+(?:Kontodomäne:|Zieldomäne:|&&) |
User Domain | No | 1 | Antragsteller.*?domäne[\:\\\=\s]{2,}([^\s]+) |
User Principal Name | No | 1 | Benutzerprinzipalname[:\s]*(.*?)\s+Stammverzeichnis: |
User Workstations | No | 1 | Benutzerarbeitsstationen[:\s]*(.*?)\s+Letzte Kennwortänderung: |