Microsoft Windows (German)

Use the IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension to closely monitor your German language Microsoft Windows deployment.

This content extension is for use with the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension. The custom properties in this content extension are used for parsing German language logs.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2

The following table shows the custom properties that were updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2.

Table 1. Custom Properties updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.2
Name	Custom property ID	Optimized	Capture group	Regex
Group Name	cbea4bef-be53-49ba-ac62-32b81fcd0aaf	Yes	1	(?:Gruppenname\|Zielkontoname)[:=\s\\]+(.*?)\s+(?:Gruppendomäne\|Zieldomäne\|Gruppe:\|&&)
Group Domain	507657c6-d092-4fb9-96e8-55ebd72d127f	No	1	(?:Gruppendomäne\|Zieldomäne)[:=\s\\]+([^\s]+)
Group Security ID	6065a1df-fdec-405e-b232-6beaafddd6eb	No	1	Gruppe[:\s]Sicherheits-ID[:=\s\\]+(.?)\s+(?:Gruppenname\|Gruppe:\|Kontoname\|&&)
Machine Identifier	002a5618-8f44-41bc-b5aa-bc02153a7d84	Yes	1	Arbeitsstationsname[:\s\\=]+([^\s&]+)\s+Quellnetzwerkadresse Benutzerarbeitsstationen[:\s](.?)\s+Letzte Kennwortänderung:

IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1

The following table shows the custom property expression that is updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1.

Table 2. Custom property expression updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1
Name	Regex expression ID	Optimized	Capture Group	Regex
Objekttyp	3b8e4e0b-a18f-4ff9-b85f-4b8c09898617	Yes	1	Objekttyp[:\s\\=]File[\s\t]+Objektname[:\s\=].[^.\s]\.(?![0-9]{1,2}\.)([^\\]*?)\s(?:Handle-ID\|&&)

The following table shows the custom properties that were updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1.

Table 3. Custom Properties updated in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.1
Previous property name	Updated property name	Previous property ID	Updated property ID
AccountName	Account Name	DEFAULTCUSTOMEVENT15	a8dee00c-b85f-4b15-bb68-fc8c83f82530
Computer Name	Machine Identifier	b30ceb37-a5b7-48e5-9a7e-85efba5d2c85	002a5618-8f44-41bc-b5aa-bc02153a7d84
GroupID	Group ID	DEFAULTCUSTOMEVENT17
Initiator User Name	Initiator Username	40d41417-9594-4e68-be99-7ccd5a828f4c
ObjectType	Object Type	DEFAULTCUSTOMEVENT13
Target User Name	Target Username	e7da1cc0-5bf0-48de-86a9-6af817266c7f
User Workstations	Machine Identifier	25193ca6-9537-4412-bf5c-598d7c70dc8e	002a5618-8f44-41bc-b5aa-bc02153a7d84

IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0.

Table 4. Custom Properties in IBM Security QRadar Custom Properties for Microsoft Windows (German) Content Extension 1.0.0
Name	Optimized	Capture Group	Regex
AccountName	Yes	1	Kontoname:\s(.+?)\s+ Kontodomäne:\s(.+?)\s+
Computer Name	No	1	Arbeitsstationsname[:\s\\=]+([^\s&]+)\s+Quellnetzwerkadresse
File Directory	Yes	1	Objekttyp[:\s\\=]+File[\s\t]+Objektname[:\s\=]+(.?)\\[^\\]?\s+(?:Handle-ID\|&&)
File Extension	Yes	1	Objektname:\s+.?\.?[^\\.]+\.(?![0-9]{1,2}\.)([^\\]?)\s+Handle
Filename	Yes	1	Objekttyp[:\s\\=]+File[\s\t]+Objektname[:\s\=]+.?\\([^\\]?)\s+(?:Handle-ID\|&&)
Group Domain	No	1	(?:Gruppendomäne\|Zieldomäne)[:=\s\\]+([^\s]+)
Group Name	Yes	1	?:Gruppenname\|Zielkontoname)[:=\s\\]+(.*?)\s+(?:Gruppendomäne\|Zieldomäne\|Gruppe:\|&&)
Group Security ID	No	1	Gruppe[:\s]Sicherheits-ID[:=\s\\]+(.?)\s+(?:Gruppenname\|Gruppe:\|Kontoname\|&&)
GroupID	Yes	1	Gruppen-ID[:\s\\=]*(\d+)
Home Directory	No	1	Stammverzeichnis[:\s](.?)\s+Stammlaufwerk:
Initiator User Name	Yes	1	Antragsteller.?Kontoname[\:\\\=\s]+(.?)\s+(?:Kontodomäne\|&&)
Logon Type	Yes	1	Anmeldetyp[:\s\\=]+(\d+)
Object Type	Yes	1	Objekttyp[:\s\\=]([^\s&])
Process Name	Yes	1	Prozessname[:\s\\=]+(?:.\\)?(.?)\s+(?:Netzwerkinformationen\|\s\|&&) Prozessname: \s?.*\\([^\s]+)
SAM Account Name	No	1	S(?:AM\|am)-Kontoname[:\s](.?)\s+Anzeigename:
Target Account Security ID	No	1	Neues Konto.?Sicherheits-ID:[\:\\\=\s]+(.?)\s+(?:Kontoname\|&&) Mitglied[\:\s]+(?:Sicherheits-)?ID[\:\s\\=]+(.?)\s+(?:Kontoname\|&&) Zielkonto.?ID[:\s\\=]+(.?)\s+(?:Kontoname\|Kontodomäne\|&&) Neue Anmeldung.?Sicherheits-ID:[\:\\\=\s]+(.*?)\s+(?:Kontoname\|&&)
Target User Domain	No	1	Neues Konto.?Kontodomäne[\:\\\=\s]+([^\s]+) Neue Anmeldung:.?Kontodomäne[\:\\\=\s]+([^\s]+) Zielkonto.*?domäne[\:\\\=\s]+([^\s]+)
Target User Name	Yes	1	Neues Konto.?name:[\:\\\=\s]+(.?)\s+(?:Kontodomäne:\|&&) Neue Anmeldung.?name:[\:\\\=\s]+(.?)\s+(?:Kontodomäne:\|&&) Zielkonto.?name[\:\\\=\s]+(.?)\s+(?:Kontodomäne:\|Zieldomäne:\|&&)
User Domain	No	1	Antragsteller.*?domäne[\:\\\=\s]{2,}([^\s]+)
User Principal Name	No	1	Benutzerprinzipalname[:\s](.?)\s+Stammverzeichnis:
User Workstations	No	1	Benutzerarbeitsstationen[:\s](.?)\s+Letzte Kennwortänderung: