FireEye MPS

The IBM Security QRadar Custom Properties for FireEye MPS Content Extension adds new custom properties for FireEye MPS.

About the Custom Properties for FireEye MPS extension

Use the IBM Security QRadar Custom Properties for FireEye MPS content extension to use your firewall event data more efficiently in searches or reports.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.1

The following table shows the updated custom properties that are updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.1.

Table 1. Updated Custom Properties in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.1
Name Property ID
Threat Name 266b1a2c-deb7-47d5-b082-f7cac7b5477c
Threat Family 3cb93d92-fbeb-4fd5-9e02-50a280898911

(Back to top)

IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.0.

Table 2. New or changed Custom Properties in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.0
Name Optimized Capture Group Regex
Action Yes 1 action\s?=(\w+)
Attack Mode No 1 (?:attack-mode|attack_mode)=([^\t\^]+)
Content Type No 1 fileType=([^\t\^]+)

Content-Type:\s([^\:]+)\:\:\~\~

File Directory Yes 1 filePath=([\/\w]+)(?=\/)
File Extension Yes 1 filePath=+.*?\.([^.]*)[\s\t]+(?:dvchost)
File Hash Yes 1 fileHash=(\w+)
Filename Yes 1 filePath=+.*?\/([^\/]*?)[\s\t]+(?:dvchost)

\^filePath=+.*?\/([^\/]*?)\^

fname=([^\t\^]+)

Malware Yes 1 (?:signame|sname)=([^\t\^]+)

cs\dLabel=sname\scs\d=([^\t\^]+)

Malware Family No 1 cs\dLabel=IOC Name\scs\d=([^\t\^]+)
Message No 1 msg=([^\t\^]+)
OS Name No 1 cs\dLabel=Target OS\scs\d=([^\t\^]+)

osinfo=([^\t\^]+)

URL Yes 1 cs\dLabel=link\scs\d=([^\t\^]+)

(?:url|link)=([^\t^\^]+)

The File Path custom property is removed in Custom Properties for FireEye MPS Content Extension 2.1.0.

(Back to top)

IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.2

The following table shows the custom properties that are updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.2.

Table 3. Changed Custom Properties in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.2
Name Optimized Capture Group Regex
Filename Yes 1 fname=([^\t\^]+)

(Back to top)

IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.1.

Table 4. Changed Custom Properties in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.1
Name Optimized Capture Group Regex
Message No 1 msg=([^\t\^]+)

IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.0.

Table 5. Changed Custom Properties in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.0
Name Optimized Capture Group Regex
Attack Mode Yes 1 (?:attack-mode|attack_mode)=([^\t\^]+)
Content Type Yes 1 fileType=([^\t\^]+)

Content-Type:\s([^\:]+)\:\:\~\~

File Path Yes 1 filePath=([^\t\^]+)
Filename Yes 1 fname=([^\t\^]+)
Malware Yes 1 cs\dLabel=sname\scs\d=([^\t\^]+)

(?:signame|sname)=([^\t\^]+)

Malware Family Yes 1 cs\dLabel=IOC Name\scs\d=([^\t\^]+)
Message Yes 1 msg=([^\t\^]+)
OS Name Yes 1 osinfo=([^\t\^]+)

cs\dLabel=Target OS\scs\d=([^\t\^]+)

Process Name Yes 1 cs\dLabel=Process Name\scs\d=([^\t\^]+)
URL Yes 1 (?:url|link)=([^\t^\^]+)

cs\dLabel=link\scs\d=([^\t\^]+)

IBM Security QRadar Custom Properties for FireEye MPS Content Extension 1.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 1.0.0.

Table 6. Changed Custom Properties in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 1.0.0
Name Optimized Capture Group Regex
Action Yes 1 action\s?=(\w+)
File Hash Yes 1 fileHash=(\w+)

Previous versions

For more information about previous versions of the IBM Security QRadar Custom Properties for FireEye MPS Content Extension, see IBM QRadar® FireEye MPS Content Extension.