Carbon Black Protection
Use the IBM® QRadar® Carbon Black Protection Content Extension to closely monitor your Carbon Black Protection deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Carbon Black Protection Content Extensions
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.4
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
IBM Security QRadar Carbon Black Protection Content Extension V1.0.4
The owner for the Policy custom property was set to admin
.
IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Policy | No | 1 | policy=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Message | No | 1 | msg=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Ban Name | True | 1 | banName=([^\t]+)[\t]* |
| Destination host Name | True | 1 | dstHostName=([^\t]+)[\t]* |
| External ID | True | 1 | externalId=([^\t]+)[\t]* |
| File Hash | True | 1 | fileHash=([^\t]+)[\t]* |
| File ID | True | 1 | fileId=([^\t]+)[\t]* |
| File Path | False | 1 | filePath=([^\t]+)[\t]* |
| File Threat | True | 1 | fileThreat=([^\t]+)[\t]* |
| File Trust | True | 1 | fileTrust=([^\t]+)[\t]* |
| Filename | True | 1 | fileName=([^\t]+)[\t]* |
| Indicator Name | False | 1 | indicatorName=([^\t]+)[\t]* |
| Installer Filename | True | 1 | installerFileName=([^\t]+)[\t]* |
| Message | True | 1 | msg=([^\t]+)[\t]* |
| Policy | True | 1 | policy=([^\t]+)[\t]* |
| Process Key | True | 1 | processKey=([^\t]+)[\t]* |
| Process Threat | True | 1 | processThreat=([^\t]+)[\t]* |
| Process Trust | True | 1 | processTrust=([^\t]+)[\t]* |
| Received Time | True | 1 | receivedTime=([^\t]+)[\t]* |
| Root Hash | True | 1 | rootHash=([^\t]+)[\t]* |
| Rule Name | True | 1 | ruleName=([^\t]+)[\t]* |
| Source Host Name | True | 1 | srcHostName=([^\t]+)[\t]* |
| Source Process | True | 1 | srcProcess=([^\t]+)[\t]* |
| Unified Source | False | 1 | unifiedSource=([^\t]+)[\t]* |
| Updater Name | False | 1 | updaterName=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Ban Name | False | 1 | banName=([^\t]+)[\t]* |
| Destination host Name | True | 1 | dstHostName=([^\t]+)[\t]* |
| External ID | True | 1 | externalId=([^\t]+)[\t]* |
| File Hash | True | 1 | fileHash=([^\t]+)[\t]* |
| File ID | True | 1 | fileId=([^\t]+)[\t]* |
| File Path | True | 1 | filePath=([^\t]+)[\t]* |
| File Threat | False | 1 | fileThreat=([^\t]+)[\t]* |
| File Trust | False | 1 | fileTrust=([^\t]+)[\t]* |
| Filename | True | 1 | fileName=([^\t]+)[\t]* |
| Indicator Name | False | 1 | indicatorName=([^\t]+)[\t]* |
| Installer Filename | True | 1 | installerFileName=([^\t]+)[\t]* |
| Message | True | 1 | msg=([^\t]+)[\t]* |
| Policy | True | 1 | policy=([^\t]+)[\t]* |
| Process Key | False | 1 | processKey=([^\t]+)[\t]* |
| Process Threat | False | 1 | processThreat=([^\t]+)[\t]* |
| Process Trust | False | 1 | processTrust=([^\t]+)[\t]* |
| Received Time | True | 1 | receivedTime=([^\t]+)[\t]* |
| Root Hash | True | 1 | rootHash=([^\t]+)[\t]* |
| Rule Name | True | 1 | ruleName=([^\t]+)[\t]* |
| Source Host Name | True | 1 | srcHostName=([^\t]+)[\t]* |
| Source Process | True | 1 | srcProcess=([^\t]+)[\t]* |
| Unified Source | False | 1 | unifiedSource=([^\t]+)[\t]* |
| Updater Name | False | 1 | updaterName=([^\t]+)[\t]* |