Azure
Use the IBM® QRadar® Azure Content Extension to closely monitor your Azure deployment.
IBM Security QRadar Azure Content Extension
- IBM Security QRadar Azure Content Extension 2.1.2
- IBM Security QRadar Azure Content Extension 2.1.1
- IBM Security QRadar Azure Content Extension 2.1.0
- IBM Security QRadar Azure Content Extension 2.0.0
- IBM Security QRadar Azure Content Extension 1.1.2
- IBM Security QRadar Azure Content Extension 1.1.1
- IBM Security QRadar Azure Content Extension 1.1.0
- IBM Security QRadar Azure Content Extension 1.0.2
- IBM Security QRadar Azure Content Extension 1.0.1
- IBM Security QRadar Azure Content Extension 1.0.0
IBM Security QRadar Azure Content Extension 2.1.2
The following table shows the updated property names in IBM Security QRadar Azure Content Extension 2.1.2.
| Type | Property ID | Old Property Name | Rebased Name (New Property Name) |
|---|---|---|---|
| CEP |
DEFAULTCUSTOMEVENT14 |
AccountID | Account ID |
| CEP |
DEFAULTCUSTOMEVENT11 |
BytesReceived | Bytes Received |
| CEP |
DEFAULTCUSTOMEVENT12 |
BytesSent | Bytes Sent |
| CEP |
002a5618-8f44-41bc-b5aa-bc02153a7d84 |
Machine ID | Machine Identifier |
| CEP |
DEFAULTCUSTOMEVENT13 |
ObjectType | Object Type |
| CEP |
c3615010-0cb6-43b5-b921-4bcf7737b8ea |
Process Id | Process ID |
| CEP |
e7da1cc0-5bf0-48de-86a9-6af817266c7f |
Target User Name | Target Username |
The following table shows the updated regex expressions in IBM Security QRadar Azure Content Extension 2.1.2.
| Type | Property ID | Property Name | Old Regex | New Regex |
|---|---|---|---|---|
| CEP | f7a8e3d5-1902-4acf-afe3-e2c4b928d90e | File Directory | path":\s"(.*?)" | path":[\s]?"([^"]+)" |
| CEP | DEFAULT_FILENAME | Filename | name":\s"(.*?)" | name":[\s]?"([^"]+)" |
IBM Security QRadar Azure Content Extension 2.1.1
The following table shows the new custom properties in IBM Security QRadar Azure Content Extension 2.1.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Attribute New Value | No | 1 | modifiedProperties":.*?newValue":"\\"(admin|administrator)\\"" |
IBM Security QRadar Azure Content Extension 2.1.0
The following table shows the new custom properties in IBM Security QRadar Azure Content Extension 2.1.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Error Code | Yes | 1 | errorCode":(.*?), |
| Reason | Yes | 1 | failureReason":"(.*?)" |
| User Agent | No | 1 | userAgent":"(.*?)" |
All rules, reports, and saved searches have been removed and added to the IBM Security QRadar Content Extension for Hybrid Cloud Use Cases.
IBM Security QRadar Azure Content Extension 2.0.0
The following table shows the new and updated custom properties in IBM Security QRadar Azure Content Extension 2.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Account Name | Yes | 1 | userStates":.*?"accountName":\s"(.*?)" |
| Alert Severity | No | 1 | /"severity" |
| Command | Yes | 1 | commandLine":\s"(.*?)" |
| File Directory | Yes | 1 | path":\s"(.*?)" |
| Filename | Yes | 1 | name":\s"(.*?)" |
| Group Name | Yes | 1 | securityResources":.*?resourceGroups\/([^\/]+) |
| Logon Id | Yes | 1 | logonId":\s"(.*?)" |
| Machine ID | Yes | 1 | securityResources":.*?\/virtualMachines\/(.*?)" |
| Message | No | 1 | /"description" |
| Process Id | Yes | 1 | processId":(.*?) |
| Region | Yes | 1 | "sourceMaterials":.*?location\/(.*?)" |
| Subscription ID | No | 1 | azureSubscriptionId":\s"(.*?)" |
| Threat Category | No | 1 | malwareStates":.*?"category":\s"(.*?)" |
| Threat Family | No | 1 | family":\s"(.*?)" |
| Threat Remediation | No | 1 | /"recommendedActions"[] |
| Threat Score | No | 1 | hostStates":.*?"riskScore":\s"(.*?)" |
| User Principal Name | No | 1 | userPrincipalName":\s"(.*?)" |
IBM Security QRadar Azure Content Extension 1.1.2
The following table shows the new and updated custom properties in IBM Security QRadar Azure Content Extension 1.1.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Distinguished Name | No | 1 | \buserPrincipalName":"([^@]*) |
| Group Name | Yes | 1 | Group.DisplayName".*?newValue":"(?:\\"){0,1}(.*?)(?:\\"){0,1}"} |
| Group Security ID | No | 1 | Group.ObjectID".*?newValue":"(?:\\"){0,1}(.*?)(?:\\"){0,1}"} |
| Target Object ID | No | 1 | targetResources":\[\{"id":"(.*?)" |
IBM Security QRadar Azure Content Extension 1.1.1
The following table shows the new and updated custom properties in IBM Security QRadar Azure Content Extension 1.1.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| AccountID | Yes | 1 | properties.*?id":"(.*?)" |
| Alert Severity | No | 1 | severity":"(.*?)"; |
| MFA Used | Yes | 1 | RequestSequence.*?succeeded":(.*?), |
| Object ID | Yes | 1 | PrincipalId\\":\\"([^\\].*?)\\",\\"PrincipalType\\": targetResources.*?id":"(.*?)" PrincipalId\\":\\"(.*?)\\",\\"PrincipalType\\": |
| Object Type | Yes | 1 | compromisedEntity":"(.*?)" \"Scope\\":\\".*\/(.*?)\\" targetResources.*?displayName":"(.*?)" |
| Role Name | Yes | 1 | Role.DisplayName.*?oldValue.*?,"newValue":"\\"(.*?)\\" \broleName\\":\\"(.*?)\\" roleDefinitions\/(.*?)\\", targetResources.*?displayName":"(.*?)" RoleDefinition.DisplayName.*?oldValue.*?,"newValue":"\\"(.*?)\\" |
| Target User Name | Yes | 1 | PrincipalId\\":\\"([^"]*)\\",\\"RoleDefinitionId\\": \btype":"Request".*?id":"(.*?)" |
| User ID | Yes | 1 | objectidentifier":"(.*?)" |
| Volume ID | Yes | 1 | \bosDisk.*?osType.*?name\\":\\"(.*?)\\" "scope":"[^"]*\/disks\/(.*?)(?:\/|\") |
IBM Security QRadar Azure Content Extension 1.1.0
IBM Security QRadar Azure Content Extension V1.1.0 adds custom properties for Microsoft Azure Active Directory.
The following table shows the custom properties in IBM Security QRadar Azure Content Extension 1.1.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Region | Yes | 1 | \bcountryOrRegion":"([^\"]*) |
| Resource ID | No | 1 | \bresourceId":"([^\"]*) |
| Service Name | Yes | 1 | \bdisplayName":"([^"]*?)","type":"ServicePrincipal" |
| Source Workstation | Yes | 1 | \bidentity":"([^\"]*) |
| Tenant ID | No | 1 | \btenantId":"([^\"]*) |
| User Principal Name | No | 1 | \buserPrincipalName":"([^\"]*) |
| User PUID | No | 1 | \bUser\.PUID",.*?newValue":["\\]+([^"\\]*) |
IBM Security QRadar Azure Content Extension 1.0.2
In IBM Security QRadar Azure Content Extension V1.0.2, the QID for the Target User Name custom property is updated.
IBM Security QRadar Azure Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar Azure Content Extension 1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Bytes Received | Yes | 1 |
\"receivedBytes\":(\d+) |
| BytesSent | Yes | 1 | \"sentBytes\":(\d+) |
| Filename | Yes | 1 | \"file\":".*\/([^"]+)" |
| Group Name | Yes | 1 | "scope":"[^"]*\/resourceGroups\/([^\/]+) "resourceId":"[^"]*\/RESOURCEGROUPS\/([^"]*?)\/ resourceGroupName=([^\t]+) |
| Local Network Gateway | No | 1 | "scope":"[^"]*\/localNetworkGateways\/([^"]*)" |
| Machine ID | Yes | 1 |
"scope":"[^"]*\/virtualMachines\/(.*?)(?:\/|\") resourceId=.*?\/virtualMachines\/(.*?)\s |
| Message | No | 1 | \"Message\":\"(.*?)\" \"message\":\"(.*?)\" |
| Network Interface | No | 1 | "scope":"[^"]*\/networkInterfaces\/([^"]*)" |
| Network Security Group | No | 1 | "resourceId":"[^"]*\/NETWORKSECURITYGROUPS\/([^"]*)" "scope":"[^"]*\/networkSecurityGroups\/([^"]*)" |
| Network Watcher | No | 1 | "scope":"[^"]*\/networkWatchers\/([^"]*)" |
| Operation ID | No | 1 | \"operationId\":\"(.*?)\" operationId=([^\t]+) |
| Public IP Name | No | 1 | "scope":"[^"]*\/publicIPAddresses\/([^"]*)" |
| Region | Yes | 1 |
site\"\:\"([^\"]+) location\"\:\"([^\"]+) |
| Resource ID | No | 1 | resourceId=([^\t]+) \"resourceId\":\"(.*?)\" |
| Role Name | Yes | 1 | roleDefinitions\/(.*?)\\", |
| Rule Name | Yes | 1 | \"ruleName\":\"(.*?)\" |
| Security Rule | No | 1 | "scope":"[^"]*\/securityRules\/([^"]*)" |
| Subscription ID | No | 1 | subscriptionId=([^\t]+) "scope":"[^"]*\/subscriptions\/([^\/]+) "resourceId":"[^"]*\/SUBSCRIPTIONS\/([^"]*?)\/ |
| Target User Name | Yes | 1 | PrincipalId\\":\\"([^\\].*?)\\", |
| User Agent | No | 1 | \"userAgent\":\"(.*?)\" |
| Virtual Network | No | 1 | "scope":"[^"]*\/virtualNetworks\/([^"]*)" |
IBM Security QRadar Azure Content Extension 1.0.0
The following table shows the rules that are included in IBM Security QRadar Azure Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Rule | Azure Cloud: Security Rule was Deleted | Detects when a security rule is deleted. |
| Rule | Azure Cloud: Network Security Group has been Created or Updated | Detects when a security group is created or updated. |
| Rule | Azure Cloud: Virtual Network Deleted | Detects when a virtual network is deleted. |
| Rule | Azure Cloud: Virtual Network Subnet Deleted | Detects when a virtual network subnet is deleted. |
| Rule | Azure Cloud: Virtual Network Gateway Connection Deleted | Detects when a virtual network gateway connection is deleted. |
| Rule | Azure Cloud: Local Network Gateway Deleted | Detects when a local network gateway is deleted. |
| Rule | Azure Cloud: Security Rule has been Created or Updated | Detects when a security rule is created or updated. |
| Rule | Azure Cloud: Virtual Network Peering Deleted | Detects when a virtual network peering is deleted. |
| Rule | Azure Cloud: Network Watcher was Deleted | Detects when a Network Watcher is deleted. |
| Rule | Azure Cloud: Network Security Group was Deleted | Detects when a network security group is deleted. |
The following table shows the reports in IBM Security QRadar Azure Content Extension 1.0.0.
| Report Name | Description |
|---|---|
| Azure Web Apps Virtual Connections Deleted - Weekly | Provides greater monitoring and trending for Azure web app virtual connections. |
| Azure Web Apps Virtual Connections Deleted - Monthly | Provides greater monitoring and trending for Azure web app virtual connections. |
| Azure Virtual Network Created or Updated - Weekly | Provides greater monitoring and trending for Azure virtual networks. |
| Azure Virtual Network Created or Updated - Monthly | Provides greater monitoring and trending for Azure virtual networks. |
| Azure Network Security Group Created or Updated - Weekly | Provides greater monitoring and trending for Azure security groups. |
| Azure Network Security Group Created or Updated - Monthly | Provides greater monitoring and trending for Azure security groups. |
| Azure Security Rule Created or Updated - Weekly | Provides greater monitoring and trending for Azure security rules. |
| Azure Security Rule Created or Updated - Monthly | Provides greater monitoring and trending for Azure security rules. |
| Azure Security Rule Deleted - Weekly | Provides greater monitoring and trending for Azure security rules. |
| Azure Security Rule Deleted - Monthly | Provides greater monitoring and trending for Azure security rules. |
The following table shows the saved searches in IBM Security QRadar Azure Content Extension 1.0.0.
| Name | Description |
|---|---|
| Azure: Security Rule Deleted | This search is used by the Security Rule Deleted reports. |
| Azure: Network Security Group Created or Updated | This search is used by the Security Group Created or Updated reports. |
| Azure: Security Rule Created or Updated | This search is used by the Security Rule Created or Updated reports. |
| Azure: Virtual Network Created or Updated | This search is used by the Virtual Network Created or Updated reports. |
| Azure: Web Apps Virtual Connections Deleted | This search is used by the Web Apps Virtual Connections Deleted reports. |