Custom Properties Dictionary

These properties are place holders. Install content extensions that contain these properties to make use of them.

Some rules in QRadar or other content extensions make use of custom properties that are available in multiple content extensions. For example, the Potential Homoglyph Usage rule in the IBM Security Threat content extension uses the URLHost custom property, which can be found in several content extensions. While you can create your own custom properties, it's a best practice to use an existing custom property rather than create your own whenever possible.

The placeholder properties in this content extension are meant to let you know about the existence of custom properties that are available to you. You can search the IBM® X-Force® Exchange portal (https://exchange.xforce.ibmcloud.com/) for any of these properties to find the content extensions that contain them.

IBM Security QRadar Custom Properties Dictionary 1.4.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.4.1.

Table 1. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.4.1
Name Custom Property ID Optimized
Access Allowed DEFAULT_ACCESS_ALLOWED Yes
Access Intent DEFAULT_ACCESS_INTENT Yes
Account Domain DEFAULTCUSTOMEVENT16 Yes
Account ID DEFAULTCUSTOMEVENT14 No
Alert SQL DB Name ad70c725-4013-4f9c-b5e7-1505565b8aed No
Alert SQL Username bede61b6-0cc6-4cff-80b6-cb9683680e59 No
Alert Category 8d064e99-13b6-4200-9c55-2f83c68a7b1f No
Analyzer Hostname 0f43b2c9-6ac4-419e-91c4-d7761e4b40e6 No
Application Name DEFAULT_APPLICATION_NAME Yes
Browser Info d22fdf49-edcc-4ddc-8ae7-b98796f88847 No
Bypass Request be134a93-f296-401b-820e-58b728cf20ce No
Bytes Received DEFAULTCUSTOMEVENT11 Yes
Bytes Sent DEFAULTCUSTOMEVENT12 Yes
Changed Attributes DEFAULTCUSTOMEVENT19 No
Completion Code DEFAULT_COMPLETION_CODE Yes
Completion Status DEFAULT_COMPLETION_STATUS Yes
Email Subject bd2e34ae-104f-4633-a09c-f1248d8c1197 No
Content Type 81b1a04b-f5c2-4018-afa8-ca48bdb0aeda No
CPU Usage defe371c-dda5-41a6-ae1c-e269e3fd14d6 Yes
Criticality Score 55992699-530d-43bd-8e45-ba5d07fbc670 No
Current SQL ID DEFAULT_CURRENT_SQL_ID Yes
Data Set Name DEFAULT_DATA_SET_NAME Yes
Data Definition DEFAULT_DD_NAME Yes
Destination Hostname DEFAULT_DESTINATION_HOSTNAME Yes
Analyzer Type 2be53d85-21cd-4d0b-93fe-7165f781db1f No
Event ID DEFAULTCUSTOMEVENT8 Yes
Threat Execution Status 48434b2d-5856-463b-9103-df45aedfa108 No
File Hash DEFAULT_FILE_HASH Yes
Filename DEFAULT_FILENAME Yes
File Size 5b7b76c8-fa9d-4ad2-91bf-6d69000fbaaf No
Function Code DEFAULT_FUNCTION_CODE Yes
Group ID DEFAULTCUSTOMEVENT17 Yes
Host Status 7608deed-186b-4e1e-80e2-372a773f1246 Yes
Initiator Username 40d41417-9594-4e68-be99-7ccd5a828f4c Yes
Instance ID 79e605b9-d7b1-4fd9-a255-f2c2554aedb1 Yes
Job Name DEFAULT_JOB_NAME Yes
Job Number DEFAULT_JOB_NUMBER Yes
Job Tag fcd3f3cc-ebd9-46ca-9286-a38a14824c78 No
Log String DEFAULT_LOG_STRING Yes
Machine Identifier 002a5618-8f44-41bc-b5aa-bc02153a7d84 Yes
Message ID 9d9a57de-99bd-4495-83a3-11e0502cda9a Yes
Full Name 2194b6b0-b8d5-4048-b2e6-64aad70ad262 No
Object Type DEFAULTCUSTOMEVENT13 Yes
Old Data Set Name DEFAULT_OLD_DATA_SET_NAME_ Yes
Sender Host bd3b952a-4036-4f9e-aa85-e20ee98ed8fc Yes
Parent Process GUID f2b6fd22-e55e-44ab-abd5-b406a7fac28b No
Parent Command 167c29dc-0ca1-4556-8058-a7f6496d7f7e Yes
Pipe Name cb6bc695-4367-4008-bbfe-b588c7ea505a Yes
Port of Entry DEFAULT_PORT_OF_ENTRY Yes
Process GUID 95d2bd09-95a3-4d28-861e-922d3cd89665 No
Process ID c3615010-0cb6-43b5-b921-4bcf7737b8ea Yes
Encoded Command 73ab582c-9d9e-48d5-9ca6-758e708f773e Yes
Recipients dee5377f-f33a-438c-b206-fdaf2a93e1c5 Yes
URL Referrer f967556a-f63c-48d9-a0b1-3ad1762a8d74 Yes
Resource DEFAULTCUSTOMEVENT7 Yes
Resource Sensitivity DEFAULT_RESOURCE_SENSITIVITY Yes
Run Level 717b2df1-41fa-44e9-97b0-2ff4374caa79 Yes
Sensitive Groups DEFAULT_SENSITIVE_GROUPS Yes
Sensitive User Privileges DEFAULT_SENSITIVE_USER_PRIVILEGES Yes
Service Filename 135b9822-5e07-426e-a4bb-0f693a25fb46 Yes
Share Path 3830765f-4e47-4b2d-91fe-679e0dd92030 No
Source Hostname DEFAULT_SOURCE_HOSTNAME Yes
Source Process Path daf362c1-ce5e-49e7-8b7a-0da268414abd Yes
Start Address cecdcd5a-60e9-4c89-8b63-921a77c50c53 Yes
Start Function f52b3cfb-a8db-492f-b273-34c5b5ff1083 Yes
Start Module 23ac846c-7383-4863-b363-37e0fbfef92e Yes
Step Name DEFAULT_STEP_NAME Yes
Submitted By DEFAULT_SUBMITTED_BY Yes
Subsystem Name DEFAULT_SUBSYSTEM_NAME Yes
Target Process Name 7453f3f4-58b3-4e08-aa35-372e2a029deb Yes
Target Username e7da1cc0-5bf0-48de-86a9-6af817266c7f Yes
Target Process Path 1aa29046-3025-4243-8168-6464da805862 No
Task Name 4aefc749-73b0-42b3-a1a3-87b0338586c4 No
TLS Client Certificate ec328503-a1d0-4aa6-a206-9d5d14a34f04 No
TLS Encryption Chaining Mode 0c4511b3-eb7a-47fb-806e-31b701790ff2 No
TLS Encryption Family 3103ce77-56b4-4c16-8b6f-4a52dc0caf29 No
TLS Encryption Key Length d3c849f5-9b8d-4097-96c5-891088b112fe No
TLS Key Exchange Method 90222f9d-de06-4de7-a43d-9984a1528eab No
TLS Message Digest e0286d4f-7e2f-4e61-87f0-a03273ac66a2 No
TLS or SSL Protocol Level c0fb538e-f4af-4935-aaee-e44bcd6a0db3 No
TLS RFC Level c849a775-5ac7-42b0-981b-580612367c05 No
Transaction Name DEFAULT_TRANSACTION_NAME Yes
Access Origin DEFAULT_UNIX_ACCESS_ORIGIN Yes
Function DEFAULT_UNIX_FUNCTION Yes
URL Host 641cd865-b9fb-42f5-81a1-664bdab52270 Yes
User Type d0431023-731f-4e69-bcb6-41bd2f6492f1 Yes
Volume Serial DEFAULT_VOLUME_SERIAL Yes
Watchlists Content d18569ed-127e-42f2-a4b3-6127d33c5402 No
Priority 02727d71-bdc3-4d84-a136-a8595199c74c Yes
Target ID de624252-48f8-43b1-ba62-f80e29ec2b86 Yes
Target Object ID aa7b8c3a-3b4a-431c-8be7-5bdaab4c3741 No
Key Length c732c6c4-3e1d-4116-88c5-b2df0782f711 Yes
Engine Version 72bcfadf-f06c-4579-90cc-085d6fb6adb0 Yes
Host Version 55d248db-ef40-4710-841c-4102780bd2c1 Yes
SID History ec100ee3-02e3-4f76-97a7-3500cce5b3ef Yes
Delegation 9dbdae29-4973-4421-897d-138673b21ae0 No
LDAP Display Name 97e88fa5-c411-4522-8253-45191438d5e3 No
Object Class 603cfca9-9c2d-4d8f-936d-2d738fd86675 No

IBM Security QRadar Custom Properties Dictionary 1.4.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.4.0.

Table 2. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.4.0
Name Optimized
Suject Account Name Yes
Terminal ID No
Record Number Yes
Call Type Yes
Encoded File Directory Yes
Encoded Filename Yes
Attribute New Value No
Authentication Package Yes
Target Server Name No
Initiated Yes
Logon Process Yes
Encoded Argument Yes
Access Yes
Scope No
Machine Identifier Yes
Account Security ID No
Description No
SAM Account Name No
Target User Domain No
User Principal Name No
Target Account Security ID No
User Right No
Ticket Encryption Type Yes
Extended Error Code Yes
IMP Hash Yes
Impersonation Level Yes
Terminated Process Name Yes
Taerget File Directory No
Integrity Level Yes
Consumer Destination Yes
Relative Target Name No
Call Trace No
Granted Access Yes
Attribute Old Value No
Signed Yes
Type No
File Permission Yes

IBM Security QRadar Custom Properties Dictionary 1.3.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.3.1.

Table 3. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.3.1
Name Optimized
Process Id Yes
Referrer URL Yes

IBM Security QRadar Custom Properties Dictionary 1.3.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.3.0.

Table 4. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.3.0
Name Optimized
API Path No
Architecture Yes
Audit ID Yes
Authentication Type No
Command Arguments Yes
Connection Direction No
DNS Request Domain No
Effective Group ID No
Effective User ID Yes
Event Type No
Finding ID No
Logon ID Yes
Module name No
Packet Type No
Parent File Directory Yes
Parent File Extension Yes
Parent Filename Yes
Parent MD5 No
Parent SHA1 Hash No
Parent SHA256 Hash No
Response Code No
Server Response Time Yes
Tactic No
Technique No
Token Elevation Type Yes
Transaction ID No

The following custom properties are removed in IBM Security QRadar Custom Properties Dictionary 1.3.0.

  • ACF2 rule key
  • Allowed cipher priority order
  • CICS terminal id
  • Dormant Offense Count
  • Events per Second Coalesced - Average 1 Min
  • Events per Second Coalesced - Peak 1 Sec
  • Events per Second Raw - Average 1 Min
  • Events per Second Raw - Peak 1 Sec
  • FIPS 140 compliance
  • Flow Source
  • Flows per Second - Average 15 Min
  • Flows per Second - Peak 1 Min
  • Identity Context name
  • Identity Context registry
  • JES line
  • JES remote terminal name
  • Member name
  • NJE node name
  • Peak EPS Rate
  • Physical DASD box serial
  • Previous CRE Name
  • RACF authority used
  • RACF profile
  • SNA global network name
  • SNA terminal name
  • System SMF id

IBM Security QRadar Custom Properties Dictionary 1.2.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.2.1.

Table 5. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.2.1
Name Optimized
Application Category Yes

IBM Security QRadar Custom Properties Dictionary 1.2.0

Several regex expression IDs are updated to avoid conflicts with other content extensions.

IBM Security QRadar Custom Properties Dictionary 1.1.0

The following table shows the custom properties in IBM Security QRadar Custom Properties Dictionary 1.1.0.

Table 6. Custom Properties in IBM Security QRadar Custom Properties Dictionary 1.1.0
Name Optimized
Elapsed Time No
MD5 Hash Yes
SHA1 Hash Yes
SHA256 Hash Yes

(Back to top)

IBM Security QRadar Custom Properties Dictionary 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties Dictionary 1.0.0.

Table 7. Custom Properties in IBM Security QRadar Custom Properties Dictionary 1.0.0
Name Optimized
Access allowed Yes
Access intent Yes
Access Mask Yes
Account Name Yes
AccountDomain Yes
AccountID No
ACF2 rule key Yes
Action Yes
Action Result No
Alert Sql DB Name No
Alert Sql User Name No
Alert_Category No
Allowed cipher priority order No
Analyzer No
Analyzer Host Name No
Analyzer Name No
API Search ID Yes
Application Yes
Application Category No
Application name Yes
Application Type Yes
Browser info No
Bypass request No
Bytes No
BytesReceived Yes
BytesSent Yes
ChangedAttributes No
CICS terminal id Yes
Command Yes
Completion code Yes
Completion status Yes
Content Type No
CPU_Usage Yes
CRE Description Yes
CRE Name Yes
Criticality Rating No
Current SQL id Yes
Data set name Yes
Database Name Yes
Database Username No
DD name Yes
Deployment ID Yes
Destination Host Name Yes
Destination Interface Yes
Destination Zone No
Detection Engine No
Device Name No
Distinguished Name No
DNS Request Type No
Domain No
Dormant Offense Count Yes
Email Subject No
Error Code Yes
EventID Yes
Events per Second Coalesced - Average 1 Min Yes
Events per Second Coalesced - Peak 1 Sec Yes
Events per Second Raw - Average 1 Min Yes
Events per Second Raw - Peak 1 Sec Yes
Execution Status No
File Directory Yes
File Extension Yes
File Hash Yes
File ID Yes
File Path No
File Size No
Filename Yes
FIPS 140 compliance No
Flow Source Yes
Flows per Second - Average 15 Min Yes
Flows per Second - Peak 1 Min Yes
Function code Yes
Group Domain No
Group Name Yes
Group Security ID No
GroupID Yes
Home Directory No
Hostname Yes
Identity Context name Yes
Identity Context registry Yes
Initiator User Name Yes
InstanceID Yes
IOC Name No
IOC Value No
JES line Yes
JES remote terminal name Yes
Job name Yes
Job number Yes
Job tag No
Location No
Log string Yes
Login Risk Score No
Logon Type Yes
Machine ID Yes
Member name Yes
Message No
MessageID Yes
Method No
Name No
Network Interface No
Network Security Group No
NJE node name Yes
Object Name No
ObjectType Yes
Old data set name Yes
Operation ID No
Operation Type No
Originating Host Yes
OS Name No
OS Patch Level No
OS Vendor No
OS Version No
Packets No
Packets Received No
Packets Sent No
Parent Yes
Parent GUID No
Parent Hash No
Parent MD5 No
Parent Path No
Parent Process Guid No
Parent Process ID No
Parent Process Name Yes
Parent Process Path Yes
ParentCommndLine Yes
Peak EPS Rate No
Physical DASD box serial Yes
PipeName Yes
Policy Category No
Policy Classification No
Policy ID No
Policy Name Yes
Policy Violation ID No
Port of entry Yes
Previous CRE Name Yes
Priority No
Process Direction No
Process Guid No
Process Id No
Process Name Yes
Process Path Yes
PS Encoded Command Yes
RACF authority used Yes
RACF profile Yes
Recipient Host Yes
Recipient_User Yes
Referrer URL No
Region Yes
Registry Key Yes
Registry Value Data Yes
Registry Value Name Yes
Reported By No
Resource sensitivity Yes
Retention Period No
Role Name Yes
Rule Action No
Rule ID No
Rule Name Yes
RunLevel Yes
Search Executed Yes
Sender Yes
Sensitive groups Yes
Sensitive user privileges Yes
Service Name Yes
ServiceFileName Yes
Session ID No
Share Name Yes
SharePath No
Shell No
SNA global network name Yes
SNA terminal name Yes
Source Host Name Yes
Source Interface No
SourceImage Yes
SQL Command No
StartAddress Yes
StartFunction Yes
StartModule Yes
Status Yes
Step name Yes
Storage Name Yes
Subject Yes
Submitted by Yes
Subscriber No
Subscription ID No
Subsystem name Yes
System SMF id Yes
System Status Yes
Target Account Security ID No
Target Computer Domain No
Target Computer Name No
Target Image Name Yes
Target User Name Yes
TargetImage No
TaskName No
Threat Category No
Threat Family No
Threat ID No
Threat Name Yes
Threat Score No
Threat Severity No
Threat Type No
TLS Client Cert No
TLS encryption family No
TLS encryption key length No
TLS key exchange method No
TLS message digest No
TLS or SSL protocol level No
TLS RFC level No
Transaction name Yes
UNIX access origin Yes
UNIX function Yes
URL Yes
URL Path No
URL Query String No
URL Scheme No
UrlHost Yes
User Agent No
User Authentication No
User Domain No
User ID Yes
UserType Yes
Volume serial Yes
Watchlist Name No
Watchlists No
Web Category Yes

(Back to top)