Microsoft Windows (Italian)

Use the IBM® QRadar® Custom Properties for Microsoft Windows (Italian) Content Extension to closely monitor your Italian language Microsoft Windows deployment.

This content extension is for use with the IBM Security QRadar Custom Properties for Microsoft Windows Content Extension. The custom properties in this content extension are used for parsing Italian language logs.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.1

The following table shows the custom property expression that is updated in IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.1.

Table 1. Custom property expression updated in IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.1
Name Regex expression ID Optimized Capture Group Regex
Nome oggeto 3f297621-24be-48e1-8ea6-12c24b64ba68 Yes 1 Nome oggetto:\s+.[^.\s]\.(?![0-9]{1,2}\.)([^\\]*?)\s(?:ID handle)

The following table shows the custom properties updated in IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.1.

Table 2. Custom properties updated in IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.1
Previous property name Updated property name Previous property ID Updated property ID
Process CommandLine Command 23a48353-c265-482e-b2ca-9b082c0fee32 DEFAULT_COMMAND
EventID Event ID DEFAULTCUSTOMEVENT8  
Machine ID Machine Identifier 002a5618-8f44-41bc-b5aa-bc02153a7d84  
ObjectName Object Name   ce2040b0-30a5-42a6-b97b-947fb192f22e
ObjectType Object Type DEFAULTCUSTOMEVENT13  
Process Id Process ID c3615010-0cb6-43b5-b921-4bcf7737b8ea  
Target User Name Target Username e7da1cc0-5bf0-48de-86a9-6af817266c7f  

IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.0.

Table 3. Custom Properties in IBM Security QRadar Custom Properties for Microsoft Windows (Italian) Content Extension 1.0.0
Name Optimized Capture Group Regex
Access Mask Yes 1 Maschera di accesso:\s+(0[^\s&]+)
Accesses Yes 1

Accessi:\s*(.*?)\s+(?:Motivi accesso)

Accessi:\s*(.*?)\s+(?:Maschera di accesso)

Account Security ID No 1

ID sicurezza:\s+(.*?)\s+(?:Nome account)

Nuovo accesso:\s+ID sicurezza:\s+(.*?)\s+(?:Nome account)

Error Code Yes 1 Stato[\:\\\=\s]+([^\s]+)
EventID Yes 1 EventID=(\d+)
File Directory Yes 1 Nome oggetto:\s+(.*)\\.*?\s+(?:ID handle)
File Extension Yes 1 Nome oggetto:\s.*?\.([^\\\.]*?)\s+(?:ID handle)
Filename Yes 1 Nome oggetto:\s.*?\\([^\\]*?)\s+(?:ID handle)
Logon Type Yes 1 Tipo di accesso[:\s\\=]+(\d+)
Machine ID Yes 1 Computer=([^\s]+)
ObjectName Yes 1 Nome oggetto[:\s]+(.*?)\s+(?:Handle dell'oggetto)
ObjectType Yes 1 Tipo di oggetto:\s(.*?)\s+(?:Nome oggetto)
Parent Process ID No 1 ID processo creatore:\s(.*?)\s+(?:Nome processo creatore)
Parent Process Name Yes 1 Nome processo creatore[:\s\\=]+.*?\\([^\\]*?)\s
Parent Process Path Yes 1 Nome processo creatore:\s(.*?)\\[^\\]*?\s
Process CommandLine Yes 1 Riga di comando processo[:\s\\=]+(.*?)\s*(?:Tipo elevazione token)
Process Id Yes 1

ID processo[\:\\\=\s]+([^\s]+)\s+(?:Nome processo)

ID nuovo processo[\:\\\=\s]+([^\s]+)\s+(?:Nome nuovo processo)

ID processo chiamante:\s+(.*?)\s

Process Name Yes 1

Nome processo:\s?.*\\([^\s]+)

Nome processo chiamante[:\s\\=]+.*?\\([^\\]*?)\s

Nome nuovo processo:\s.*?\\([^\\]*?)\s

Process Path Yes 1

Nome processo:\s+(.*)\\.*?\s

Nome processo chiamante:\s(.*?)\\[^\\]*?\s

Nome nuovo processo:\s(.*?)\\[^\\]*?\s

Reason Yes 1 Motivo dell'errore[\:\\\=\s]+(.*?)\s+(?: Stato)
Target Account Security ID No 1 Account di destinazione.*?ID sicurezza[\:\\\=\s]+([^\s]+)\s+(?:Nome account)
Target User Domain No 1

Nuovo accesso.*?Dominio account:\s+(.*?)\s

Account di destinazione.*?Dominio account[\:\\=\s]+([^\s]+)

Target User Name Yes 1

Nuovo accesso.*?Nome account:\s+(.*?)\s

Account di destinazione.*Nome account:\s(.*?)\s(?:Dominio account)

Token Elevation Type Yes 1 Tipo elevazione token:\s(%%\d{4})
User Domain No 1 Dominio account[\:\\\=\s]+([^\s]+)