Carbon Black Protection

Use the IBM Security QRadar Carbon Black Protection Content Extension to closely monitor your Carbon Black Protection deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Carbon Black Protection Content Extensions

IBM Security QRadar Carbon Black Protection Content Extension V1.0.4

The owner for the Policy custom property was set to admin.

IBM Security QRadar Carbon Black Protection Content Extension V1.0.3

The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.3.

Table 1. Updated Custom Properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.3
Name Optimized Capture Group Regex
Policy No 1 policy=([^\t]+)[\t]*

IBM Security QRadar Carbon Black Protection Content Extension V1.0.2

The following table shows the custom properties that were updated in IBM Security QRadar Carbon Black Protection Content Extension V1.0.2.

Table 2. Updated Custom Properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.2
Name Optimized Capture Group Regex
Message No 1 msg=([^\t]+)[\t]*

IBM Security QRadar Carbon Black Protection Content Extension V1.0.1

The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.1.

Table 3. Custom Properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.1
Name Optimized Capture Group Regex
Ban Name True 1 banName=([^\t]+)[\t]*
Destination host Name True 1 dstHostName=([^\t]+)[\t]*
External ID True 1 externalId=([^\t]+)[\t]*
File Hash True 1 fileHash=([^\t]+)[\t]*
File ID True 1 fileId=([^\t]+)[\t]*
File Path False 1 filePath=([^\t]+)[\t]*
File Threat True 1 fileThreat=([^\t]+)[\t]*
File Trust True 1 fileTrust=([^\t]+)[\t]*
Filename True 1 fileName=([^\t]+)[\t]*
Indicator Name False 1 indicatorName=([^\t]+)[\t]*
Installer Filename True 1 installerFileName=([^\t]+)[\t]*
Message True 1 msg=([^\t]+)[\t]*
Policy True 1 policy=([^\t]+)[\t]*
Process Key True 1 processKey=([^\t]+)[\t]*
Process Threat True 1 processThreat=([^\t]+)[\t]*
Process Trust True 1 processTrust=([^\t]+)[\t]*
Received Time True 1 receivedTime=([^\t]+)[\t]*
Root Hash True 1 rootHash=([^\t]+)[\t]*
Rule Name True 1 ruleName=([^\t]+)[\t]*
Source Host Name True 1 srcHostName=([^\t]+)[\t]*
Source Process True 1 srcProcess=([^\t]+)[\t]*
Unified Source False 1 unifiedSource=([^\t]+)[\t]*
Updater Name False 1 updaterName=([^\t]+)[\t]*

IBM Security QRadar Carbon Black Protection Content Extension V1.0.0

The following table shows the custom properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.0.

Table 4. Custom Properties in IBM Security QRadar Carbon Black Protection Content Extension V1.0.0
Name Optimized Capture Group Regex
Ban Name False 1 banName=([^\t]+)[\t]*
Destination host Name True 1 dstHostName=([^\t]+)[\t]*
External ID True 1 externalId=([^\t]+)[\t]*
File Hash True 1 fileHash=([^\t]+)[\t]*
File ID True 1 fileId=([^\t]+)[\t]*
File Path True 1 filePath=([^\t]+)[\t]*
File Threat False 1 fileThreat=([^\t]+)[\t]*
File Trust False 1 fileTrust=([^\t]+)[\t]*
Filename True 1 fileName=([^\t]+)[\t]*
Indicator Name False 1 indicatorName=([^\t]+)[\t]*
Installer Filename True 1 installerFileName=([^\t]+)[\t]*
Message True 1 msg=([^\t]+)[\t]*
Policy True 1 policy=([^\t]+)[\t]*
Process Key False 1 processKey=([^\t]+)[\t]*
Process Threat False 1 processThreat=([^\t]+)[\t]*
Process Trust False 1 processTrust=([^\t]+)[\t]*
Received Time True 1 receivedTime=([^\t]+)[\t]*
Root Hash True 1 rootHash=([^\t]+)[\t]*
Rule Name True 1 ruleName=([^\t]+)[\t]*
Source Host Name True 1 srcHostName=([^\t]+)[\t]*
Source Process True 1 srcProcess=([^\t]+)[\t]*
Unified Source False 1 unifiedSource=([^\t]+)[\t]*
Updater Name False 1 updaterName=([^\t]+)[\t]*