Cisco Ironport
The IBM Security QRadar Cisco Ironport Content Extension adds new custom properties for Cisco Ironport.
IBM Security QRadar Cisco Ironport Content Extensions
- IBM Security QRadar Cisco Ironport Content Extension 1.1.1
- IBM Security QRadar Cisco Ironport Content Extension 1.1.0
- IBM Security QRadar Cisco Ironport Content Extension 1.0.4
- IBM Security QRadar Cisco Ironport Content Extension 1.0.3
- IBM Security QRadar Cisco Ironport Content Extension 1.0.2
- IBM Security QRadar Cisco Ironport Content Extension 1.0.1
IBM Security QRadar Cisco Ironport Content Extension 1.1.1
The following table shows the custom properties that are renamed in IBM Security QRadar Cisco Ironport Content Extension 1.1.1.
Previous Name | Updated Name |
---|---|
Referrer URL | URL Referrer |
UrlHost | URL Host |
BytesReceived | Bytes Received |
Recipient_User | Recipients |
Originating_User | Sender |
Originating Host | Sender Host |
MessageID | Message ID |
IBM Security QRadar Cisco Ironport Content Extension 1.1.0
The following table shows the new and updated custom properties in IBM Security QRadar Cisco Ironport Content Extension 1.1.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
ACL Decision Tag | No | 1 | \d{10}.*?\s.*?\s.*?\s.*?/.*?\s.*?\s.*?\s.*?\s.*?.\s.*?\s.*?\s(.*?)\s |
BytesReceived | Yes | 1 | (\d+)\sbytes\sfrom (\d+)\sbytes\sreceived (\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE) |
Content Type | No | 1 | mimeType\s(.*?)\s
(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s.*?\s.*?\s.*?\s(.*?)\s |
Delivery Connection ID | No | 1 | DCID\s(\d+) |
File Extension | Yes | 2 1 |
attachment\s'(.*?)\.([^\;\s\?]+)' (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+) |
Filename | Yes | 1 | attachment\s'(.*?)' (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+) |
Injection Connection ID | No | 1 | ICID\s(\d+) |
MessageID | Yes | 1 | MID\s(\d+) |
Method | No | 1 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s |
Referrer URL | No | 1 | referrer\s(.*?)\s ref:\s(.*?)\s |
Threat Name | Yes | 1 | \s<.*?,.*?,.*?,"(.*?)", |
URL | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s]+) |
URL Path | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+) |
URL Query String | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+) |
URL Scheme | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s\/]*?):\/\/ |
UrlHost | Yes | 1 | host\s\"(?:www\.)?([^\"]*?)\" (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) |
User Agent | No | 1 | userAgent\s\"(.*?)\" ua:\s"(.*?)"\s |
Web Category | Yes | 1 | \s\<([^\,]+), labels=([^\;]+) |
IBM Security QRadar Cisco Ironport Content Extension 1.0.4
The following table shows the new and updated custom properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
BytesReceived | Yes | 1 | (\d+)\sbytes\sreceived (\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE) (\d+)\sbytes\sfrom |
Content Type | Yes | 1 | mimeType\s(.*?)\s
(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s.*?\s.*?\s.*?\s(.*?)\s |
File Extension | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+)
attachment\s'(.*?)\.([^\;\s\?]+)' |
Filename | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+) attachment\s'(.*?)' |
Injection Connection ID | Yes | 1 | ICID\s(\d+) |
Message Size | Yes | 1 | ready\s(\d+) |
MessageID | Yes | 1 | MID\s(\d+) |
Method | Yes | 1 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s |
Originating Host | Yes | 1 | (?:F|f)rom[:\s]*<[^>@]*@([^>]*)> |
Originating_User | Yes | 1 | (?:F|f)rom[:\s]*<([^>]*)> |
Recipient Host | Yes | 1 | (?:T|t)o[:\s]*<[^>@]*@([^>]*)> |
Recipient ID | Yes | 1 | RID\s(\d+) |
Recipient_User | Yes | 1 | (?:T|t)o[:\s]*<([^>]*)> |
Referrer URL | Yes | 1 | referrer\s(.*?)\s |
URL | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s]+) |
URL Path | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+) |
URL Query String | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+) |
URL Scheme | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s\/]*?):\/\/ |
UrlHost | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) host\s\"(?:www\.)?([^\"]*?)\" |
User Agent | Yes | 1 | userAgent\s\"(.*?)\" |
Web Category | Yes | 1 | \s\<([^\,]+), labels=([^\;]+) |
IBM Security QRadar Cisco Ironport Content Extension 1.0.3
The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco Ironport Content Extension 1.0.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
BytesReceived | Yes | 1 | (\d+)\sbytes\sreceived (\d+)\sbytes\sfrom (\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE) |
IBM Security QRadar Cisco Ironport Content Extension 1.0.2
The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco Ironport Content Extension 1.0.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Message Size | Yes | 1 | ready\s(\d+) |
MessageID | Yes | 1 | MID\s(\d+) |
Originating Host | Yes | 1 | (?:F|f)rom[:\s]*<[^>@]*@([^>]*)> |
Originating_User | Yes | 1 | (?:F|f)rom[:\s]*<([^>]*)> |
Recipient Host | Yes | 1 | (?:T|t)o[:\s]*<[^>@]*@([^>]*)> |
Recipient_User | Yes | 1 | (?:T|t)o[:\s]*<([^>]*)> |
IBM Security QRadar Cisco Ironport Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
BytesReceived | No No No |
1 1 1 |
(\d+)\sbytes\sreceived (\d+)\sbytes\sfrom (\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE) |
Content Type | No No |
1 1 |
(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s.*?\s.*?\s.*?\s(.*?)\s
mimeType\s(.*?)\s |
File Extension | Yes Yes |
1 2 |
(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+) attachment\s'(.*?)\.([^\;\s\?]+)' |
Filename | Yes Yes |
1 1 |
(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+) attachment\s'(.*?)' |
Method | No | 1 | (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s |
Originating_User | No | 1 | From:\s<(.*?)> |
Recipient_User | Yes | 1 | To:\s<(.*?)> |
Subject | No | 1 | Subject\s'(.*?)' |
Referrer URL | No | 1 | referrer\s(.*?)\s |
URL | Yes | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s]+) |
URL Path | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+) |
URL Query String | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+) |
URL Scheme | No | 1 | (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s\/]*?):\/\/ |
UrlHost | Yes Yes |
1 1 |
(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) host\s\"(?:www\.)?([^\"]*?)\" |
User Agent | No | 1 | userAgent\s\"(.*?)\" |
Web Category | Yes Yes |
1 1 |
\s\<([^\,]+), labels=([^\;]+) |