VMware

The IBM® QRadar® VMware content extension adds new custom event properties for VMware.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar VMware V1.1.0 content extension
IBM Security QRadar VMware V1.0.0 content extension

IBM Security QRadar VMware V1.1.0 content extension

The following table shows the custom properties updated in the IBM Security QRadar VMware V1.1.0 content extension.

Table 1. Custom Properties in VMware V1.1.0 content extension
Name	Optimized	Capture Group	Regex
Role Name	Yes	1	from .? to role\s+'(.?)'

_{(Back to top)}

IBM Security QRadar VMware V1.0.0 content extension

The following table shows the custom properties in the IBM Security QRadar VMware V1.0.0 content extension.

Table 2. Custom Properties in VMware V1.0.0 content extension
Name	Optimized	Capture Group	Regex
Filename	Yes	1	\](?:[^\/]?\/)?([^\/\']?)' was msg=Deletion of file or directory\s.(?:\\\|\/)(.?)\sfrom fileName=([^\t]+)[\t]
Machine ID	Yes	1	Warning message on\s(.?)\son msg=.?\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s msg=Message on\s(.?)\son msg=(.?)\son Permission created for\s\w+\son\s([^,]+) Permission rule removed for\s\w+\son\s(.)$ msg=Reconfigured\s(.?)\son machine\s(.?)\son Permission created for .? on (.?), msg=Removed\s(.?)\son
Role Name	Yes	1	role is\s([^,]+) from.to '(.?)'
Target User Name	Yes	1	msg=Account\s+(.?)\s+was Permission rule removed for\s(\w+) Permission created for\s(\w+) Permission created for (.?) on
TaskName	No	1	Task\sCreated\s:.?(\w+\.\w+)-\d+ Task\sCompleted\s:.?(\w+\.\w+)-\d+
User Agent	No	1	user agent:\s(.)$ logged in as\s(.)$ initiated\sfrom\s\'(.*?)@

_{(Back to top)}