Carbon Black Protection
Use the IBM Security QRadar Carbon Black Protection Content Extension to closely monitor your Carbon Black Protection deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Carbon Black Protection Content Extensions
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.4
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
IBM Security QRadar Carbon Black Protection Content Extension V1.0.4
The owner for the Policy custom property was set to admin
.
IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Policy | No | 1 | policy=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Message | No | 1 | msg=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Ban Name | True | 1 | banName=([^\t]+)[\t]* |
| Destination host Name | True | 1 | dstHostName=([^\t]+)[\t]* |
| External ID | True | 1 | externalId=([^\t]+)[\t]* |
| File Hash | True | 1 | fileHash=([^\t]+)[\t]* |
| File ID | True | 1 | fileId=([^\t]+)[\t]* |
| File Path | False | 1 | filePath=([^\t]+)[\t]* |
| File Threat | True | 1 | fileThreat=([^\t]+)[\t]* |
| File Trust | True | 1 | fileTrust=([^\t]+)[\t]* |
| Filename | True | 1 | fileName=([^\t]+)[\t]* |
| Indicator Name | False | 1 | indicatorName=([^\t]+)[\t]* |
| Installer Filename | True | 1 | installerFileName=([^\t]+)[\t]* |
| Message | True | 1 | msg=([^\t]+)[\t]* |
| Policy | True | 1 | policy=([^\t]+)[\t]* |
| Process Key | True | 1 | processKey=([^\t]+)[\t]* |
| Process Threat | True | 1 | processThreat=([^\t]+)[\t]* |
| Process Trust | True | 1 | processTrust=([^\t]+)[\t]* |
| Received Time | True | 1 | receivedTime=([^\t]+)[\t]* |
| Root Hash | True | 1 | rootHash=([^\t]+)[\t]* |
| Rule Name | True | 1 | ruleName=([^\t]+)[\t]* |
| Source Host Name | True | 1 | srcHostName=([^\t]+)[\t]* |
| Source Process | True | 1 | srcProcess=([^\t]+)[\t]* |
| Unified Source | False | 1 | unifiedSource=([^\t]+)[\t]* |
| Updater Name | False | 1 | updaterName=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Ban Name | False | 1 | banName=([^\t]+)[\t]* |
| Destination host Name | True | 1 | dstHostName=([^\t]+)[\t]* |
| External ID | True | 1 | externalId=([^\t]+)[\t]* |
| File Hash | True | 1 | fileHash=([^\t]+)[\t]* |
| File ID | True | 1 | fileId=([^\t]+)[\t]* |
| File Path | True | 1 | filePath=([^\t]+)[\t]* |
| File Threat | False | 1 | fileThreat=([^\t]+)[\t]* |
| File Trust | False | 1 | fileTrust=([^\t]+)[\t]* |
| Filename | True | 1 | fileName=([^\t]+)[\t]* |
| Indicator Name | False | 1 | indicatorName=([^\t]+)[\t]* |
| Installer Filename | True | 1 | installerFileName=([^\t]+)[\t]* |
| Message | True | 1 | msg=([^\t]+)[\t]* |
| Policy | True | 1 | policy=([^\t]+)[\t]* |
| Process Key | False | 1 | processKey=([^\t]+)[\t]* |
| Process Threat | False | 1 | processThreat=([^\t]+)[\t]* |
| Process Trust | False | 1 | processTrust=([^\t]+)[\t]* |
| Received Time | True | 1 | receivedTime=([^\t]+)[\t]* |
| Root Hash | True | 1 | rootHash=([^\t]+)[\t]* |
| Rule Name | True | 1 | ruleName=([^\t]+)[\t]* |
| Source Host Name | True | 1 | srcHostName=([^\t]+)[\t]* |
| Source Process | True | 1 | srcProcess=([^\t]+)[\t]* |
| Unified Source | False | 1 | unifiedSource=([^\t]+)[\t]* |
| Updater Name | False | 1 | updaterName=([^\t]+)[\t]* |