Cisco Ironport

The IBM Security QRadar Cisco Ironport Content Extension adds new custom properties for Cisco Ironport.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Cisco Ironport Content Extensions

IBM Security QRadar Cisco Ironport Content Extension 1.1.1

The following table shows the custom properties that are renamed in IBM Security QRadar Cisco Ironport Content Extension 1.1.1.

Table 1. Renamed Custom Properties in IBM Security QRadar Cisco Ironport Content Extension 1.1.1
Previous Name Updated Name
Referrer URL URL Referrer
UrlHost URL Host
BytesReceived Bytes Received
Recipient_User Recipients
Originating_User Sender
Originating Host Sender Host
MessageID Message ID

IBM Security QRadar Cisco Ironport Content Extension 1.1.0

The following table shows the new and updated custom properties in IBM Security QRadar Cisco Ironport Content Extension 1.1.0.

Table 2. Custom Properties in IBM Security QRadar Cisco Ironport Content Extension 1.1.0
Name Optimized Capture Group Regex
ACL Decision Tag No 1 \d{10}.*?\s.*?\s.*?\s.*?/.*?\s.*?\s.*?\s.*?\s.*?.\s.*?\s.*?\s(.*?)\s
BytesReceived Yes 1 (\d+)\sbytes\sfrom

(\d+)\sbytes\sreceived

(\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)

Content Type No 1 mimeType\s(.*?)\s

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s.*?\s.*?\s.*?\s(.*?)\s

Delivery Connection ID No 1 DCID\s(\d+)
File Extension Yes 2

1

attachment\s'(.*?)\.([^\;\s\?]+)'

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+)

Filename Yes 1 attachment\s'(.*?)'

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+)

Injection Connection ID No 1 ICID\s(\d+)
MessageID Yes 1 MID\s(\d+)
Method No 1 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s
Referrer URL No 1 referrer\s(.*?)\s

ref:\s(.*?)\s

Threat Name Yes 1 \s<.*?,.*?,.*?,"(.*?)",
URL Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s]+)
URL Path No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+)
URL Query String No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+)
URL Scheme No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s\/]*?):\/\/
UrlHost Yes 1 host\s\"(?:www\.)?([^\"]*?)\"

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

User Agent No 1 userAgent\s\"(.*?)\"

ua:\s"(.*?)"\s

Web Category Yes 1 \s\<([^\,]+),

labels=([^\;]+)

(Back to top)

IBM Security QRadar Cisco Ironport Content Extension 1.0.4

The following table shows the new and updated custom properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.4.

Table 3. Custom Properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.4
Name Optimized Capture Group Regex
BytesReceived Yes 1 (\d+)\sbytes\sreceived

(\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)

(\d+)\sbytes\sfrom

Content Type Yes 1 mimeType\s(.*?)\s

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s.*?\s.*?\s.*?\s(.*?)\s

File Extension Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+)

attachment\s'(.*?)\.([^\;\s\?]+)'

Filename Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+)

attachment\s'(.*?)'

Injection Connection ID Yes 1 ICID\s(\d+)
Message Size Yes 1 ready\s(\d+)
MessageID Yes 1 MID\s(\d+)
Method Yes 1 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s
Originating Host Yes 1 (?:F|f)rom[:\s]*<[^>@]*@([^>]*)>
Originating_User Yes 1 (?:F|f)rom[:\s]*<([^>]*)>
Recipient Host Yes 1 (?:T|t)o[:\s]*<[^>@]*@([^>]*)>
Recipient ID Yes 1 RID\s(\d+)
Recipient_User Yes 1 (?:T|t)o[:\s]*<([^>]*)>
Referrer URL Yes 1 referrer\s(.*?)\s
URL Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s]+)
URL Path Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+)
URL Query String Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+)
URL Scheme Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s\/]*?):\/\/
UrlHost Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

host\s\"(?:www\.)?([^\"]*?)\"

User Agent Yes 1 userAgent\s\"(.*?)\"
Web Category Yes 1 \s\<([^\,]+), labels=([^\;]+)

(Back to top)

IBM Security QRadar Cisco Ironport Content Extension 1.0.3

The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco Ironport Content Extension 1.0.3.

Table 4. Custom Properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.3
Name Optimized Capture Group Regex
BytesReceived Yes 1 (\d+)\sbytes\sreceived

(\d+)\sbytes\sfrom

(\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)

IBM Security QRadar Cisco Ironport Content Extension 1.0.2

The following table shows the custom properties that are new or updated in IBM Security QRadar Cisco Ironport Content Extension 1.0.2.

Table 5. Custom Properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.2
Name Optimized Capture Group Regex
Message Size Yes 1 ready\s(\d+)
MessageID Yes 1 MID\s(\d+)
Originating Host Yes 1 (?:F|f)rom[:\s]*<[^>@]*@([^>]*)>
Originating_User Yes 1 (?:F|f)rom[:\s]*<([^>]*)>
Recipient Host Yes 1 (?:T|t)o[:\s]*<[^>@]*@([^>]*)>
Recipient_User Yes 1 (?:T|t)o[:\s]*<([^>]*)>

(Back to top)

IBM Security QRadar Cisco Ironport Content Extension 1.0.1

The following table shows the custom properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.1.

Table 6. Custom Properties in IBM Security QRadar Cisco Ironport Content Extension 1.0.1
Name Optimized Capture Group Regex
BytesReceived No

No

No

1

1

1

(\d+)\sbytes\sreceived

(\d+)\sbytes\sfrom

(\d+)\s(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)

Content Type No

No

1

1

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s.*?\s.*?\s.*?\s(.*?)\s

mimeType\s(.*?)\s

File Extension Yes

Yes

1

2

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+)

attachment\s'(.*?)\.([^\;\s\?]+)'

Filename Yes

Yes

1

1

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+)

attachment\s'(.*?)'

Method No 1 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s
Originating_User No 1 From:\s<(.*?)>
Recipient_User Yes 1 To:\s<(.*?)>
Subject No 1 Subject\s'(.*?)'
Referrer URL No 1 referrer\s(.*?)\s
URL Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s]+)
URL Path No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+)
URL Query String No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+)
URL Scheme No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s([^\;\s\/]*?):\/\/
UrlHost Yes

Yes

1

1

(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE)\s(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

host\s\"(?:www\.)?([^\"]*?)\"

User Agent No 1 userAgent\s\"(.*?)\"
Web Category Yes

Yes

1

1

\s\<([^\,]+),

labels=([^\;]+)

(Back to top)