Microsoft ISA
Use the IBM® QRadar® Custom Properties for Microsoft ISA to closely monitor your Microsoft ISA deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| BytesReceived | Yes | 1 | sc-bytes=(\d+) (?i)Bytes Received=(\d+) |
| BytesSent | No | 1 | (?i)Bytes Sent=(\d+) cs-bytes=(\d+) |
| Error Code | Yes | 1 | error-info=(.*?)\t (?i)Error info=(.*?)\t |
| Hostname | Yes | 1 | (?i)Server Name=(.*?)\t r-host=(.*?)\t |
| Method | No | 1 | (?i)HTTP Method=(.*?)\t s-operation=(.*?)\t |
| Referrer URL | Yes | 1 | cs-referred=(.*?)\t (?i)Referring Server=(.*?)\t |
| Rule Name | Yes | 1 | rule=(.*?)\t (?i)Rule=(.*?)\t |
| Service Name | Yes | 1 | (?i)Service=(.*?)\t |
| URL | Yes | 1 | cs-uri=(.*?)\t (?i)URL=(.*?)\t |
| UrlHost | Yes | 1 | cs-uri=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/ (?i)URL=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/ |
| User Agent | Yes | 1 | (?i)Client Agent=(.*?)\t c-agent=(.*?)\t |