Carbon Black Protection
Use the IBM Security QRadar Carbon Black Protection Content Extension to closely monitor your Carbon Black Protection deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Carbon Black Protection Content Extensions
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.4
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
- IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
IBM Security QRadar Carbon Black Protection Content Extension V1.0.4
The owner for the Policy custom property was set to admin
.
IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Policy | No | 1 | policy=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Message | No | 1 | msg=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Ban Name | True | 1 | banName=([^\t]+)[\t]* |
Destination host Name | True | 1 | dstHostName=([^\t]+)[\t]* |
External ID | True | 1 | externalId=([^\t]+)[\t]* |
File Hash | True | 1 | fileHash=([^\t]+)[\t]* |
File ID | True | 1 | fileId=([^\t]+)[\t]* |
File Path | False | 1 | filePath=([^\t]+)[\t]* |
File Threat | True | 1 | fileThreat=([^\t]+)[\t]* |
File Trust | True | 1 | fileTrust=([^\t]+)[\t]* |
Filename | True | 1 | fileName=([^\t]+)[\t]* |
Indicator Name | False | 1 | indicatorName=([^\t]+)[\t]* |
Installer Filename | True | 1 | installerFileName=([^\t]+)[\t]* |
Message | True | 1 | msg=([^\t]+)[\t]* |
Policy | True | 1 | policy=([^\t]+)[\t]* |
Process Key | True | 1 | processKey=([^\t]+)[\t]* |
Process Threat | True | 1 | processThreat=([^\t]+)[\t]* |
Process Trust | True | 1 | processTrust=([^\t]+)[\t]* |
Received Time | True | 1 | receivedTime=([^\t]+)[\t]* |
Root Hash | True | 1 | rootHash=([^\t]+)[\t]* |
Rule Name | True | 1 | ruleName=([^\t]+)[\t]* |
Source Host Name | True | 1 | srcHostName=([^\t]+)[\t]* |
Source Process | True | 1 | srcProcess=([^\t]+)[\t]* |
Unified Source | False | 1 | unifiedSource=([^\t]+)[\t]* |
Updater Name | False | 1 | updaterName=([^\t]+)[\t]* |
IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Ban Name | False | 1 | banName=([^\t]+)[\t]* |
Destination host Name | True | 1 | dstHostName=([^\t]+)[\t]* |
External ID | True | 1 | externalId=([^\t]+)[\t]* |
File Hash | True | 1 | fileHash=([^\t]+)[\t]* |
File ID | True | 1 | fileId=([^\t]+)[\t]* |
File Path | True | 1 | filePath=([^\t]+)[\t]* |
File Threat | False | 1 | fileThreat=([^\t]+)[\t]* |
File Trust | False | 1 | fileTrust=([^\t]+)[\t]* |
Filename | True | 1 | fileName=([^\t]+)[\t]* |
Indicator Name | False | 1 | indicatorName=([^\t]+)[\t]* |
Installer Filename | True | 1 | installerFileName=([^\t]+)[\t]* |
Message | True | 1 | msg=([^\t]+)[\t]* |
Policy | True | 1 | policy=([^\t]+)[\t]* |
Process Key | False | 1 | processKey=([^\t]+)[\t]* |
Process Threat | False | 1 | processThreat=([^\t]+)[\t]* |
Process Trust | False | 1 | processTrust=([^\t]+)[\t]* |
Received Time | True | 1 | receivedTime=([^\t]+)[\t]* |
Root Hash | True | 1 | rootHash=([^\t]+)[\t]* |
Rule Name | True | 1 | ruleName=([^\t]+)[\t]* |
Source Host Name | True | 1 | srcHostName=([^\t]+)[\t]* |
Source Process | True | 1 | srcProcess=([^\t]+)[\t]* |
Unified Source | False | 1 | unifiedSource=([^\t]+)[\t]* |
Updater Name | False | 1 | updaterName=([^\t]+)[\t]* |