osquery
Use the IBM Security QRadar osquery Custom Properties Content Extension to closely monitor Linux® devices using osquery.
Note: This content extension does not install when the Parent Filename custom
property is present from Cisco AMP 1.0.0. Delete Parent Filename before you install this content
extension.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar osquery Custom Properties Content Extension
IBM Security QRadar osquery Custom Properties Content Extension 1.0.2
The following table shows the new and updated custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.2.
Name | Optimized | Regex Capture Group | Regex |
---|---|---|---|
Process ID | Yes | 1 | x_forwarded_for_header_value="([^"]*)" |
IBM Security QRadar osquery Custom Properties Content Extension 1.0.1
The following table shows the new and updated custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.1.
Name | Optimized | Regex Capture Group | Expressions |
---|---|---|---|
Container Image | Yes | 1 |
|
Container Image ID | Yes | 1 |
|
IBM Security QRadar osquery Custom Properties Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.0.
Name | Optimized | Regex Capture Group | Expressions |
---|---|---|---|
Container ID | Yes | 1 |
|
Container Image | No | 1 |
|
Container Image ID | No | 1 |
|
Container Name | No | 1 |
|
Destination Mount Point | No |
|
|
File Directory | Yes | 1 |
|
File Extension | Yes | 1 |
|
File Permissions | Yes |
|
|
Filename | Yes | 1 |
|
GroupID | Yes |
|
|
Image Tag | No | 1 |
|
Parent Process Name | Yes | 1 |
|
Parent Process Path | Yes | 1 |
|
Privileged Container | Yes | 1 |
|
Process CommandLine | Yes | 1 |
|
Process Id | No | 1 |
|
Process Name | Yes | 1 |
|
Rule Details | Yes |
|
|
SHA256 Hash | Yes | 1 |
|
Source Mount Point | Yes |
|
|
Target User Name | Yes |
|
|
User ID | Yes |
|