FireEye MPS
The IBM Security QRadar Custom Properties for FireEye MPS Content Extension adds new custom properties for FireEye MPS.
About the Custom Properties for FireEye MPS extension
Use the IBM Security QRadar Custom Properties for FireEye MPS content extension to use your firewall event data more efficiently in searches or reports.
- IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.1
- IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.0
- IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.2
- IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.1
- IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.0
- IBM Security QRadar Custom Properties for FireEye MPS Content Extension 1.0.0
IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.1
The following table shows the updated custom properties that are updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.1.
Name | Property ID |
---|---|
Threat Name | 266b1a2c-deb7-47d5-b082-f7cac7b5477c |
Threat Family | 3cb93d92-fbeb-4fd5-9e02-50a280898911 |
IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.1.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Action | Yes | 1 | action\s?=(\w+) |
Attack Mode | No | 1 | (?:attack-mode|attack_mode)=([^\t\^]+) |
Content Type | No | 1 | fileType=([^\t\^]+) Content-Type:\s([^\:]+)\:\:\~\~ |
File Directory | Yes | 1 | filePath=([\/\w]+)(?=\/) |
File Extension | Yes | 1 | filePath=+.*?\.([^.]*)[\s\t]+(?:dvchost) |
File Hash | Yes | 1 | fileHash=(\w+) |
Filename | Yes | 1 | filePath=+.*?\/([^\/]*?)[\s\t]+(?:dvchost) \^filePath=+.*?\/([^\/]*?)\^ fname=([^\t\^]+) |
Malware | Yes | 1 | (?:signame|sname)=([^\t\^]+) cs\dLabel=sname\scs\d=([^\t\^]+) |
Malware Family | No | 1 | cs\dLabel=IOC Name\scs\d=([^\t\^]+) |
Message | No | 1 | msg=([^\t\^]+) |
OS Name | No | 1 | cs\dLabel=Target OS\scs\d=([^\t\^]+) osinfo=([^\t\^]+) |
URL | Yes | 1 | cs\dLabel=link\scs\d=([^\t\^]+) (?:url|link)=([^\t^\^]+) |
The File Path custom property is removed in Custom Properties for FireEye MPS Content Extension 2.1.0.
IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.2
The following table shows the custom properties that are updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Filename | Yes | 1 | fname=([^\t\^]+) |
IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.1
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Message | No | 1 | msg=([^\t\^]+) |
IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 2.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Attack Mode | Yes | 1 | (?:attack-mode|attack_mode)=([^\t\^]+) |
Content Type | Yes | 1 | fileType=([^\t\^]+) Content-Type:\s([^\:]+)\:\:\~\~ |
File Path | Yes | 1 | filePath=([^\t\^]+) |
Filename | Yes | 1 | fname=([^\t\^]+) |
Malware | Yes | 1 | cs\dLabel=sname\scs\d=([^\t\^]+) (?:signame|sname)=([^\t\^]+) |
Malware Family | Yes | 1 | cs\dLabel=IOC Name\scs\d=([^\t\^]+) |
Message | Yes | 1 | msg=([^\t\^]+) |
OS Name | Yes | 1 | osinfo=([^\t\^]+) cs\dLabel=Target OS\scs\d=([^\t\^]+) |
Process Name | Yes | 1 | cs\dLabel=Process Name\scs\d=([^\t\^]+) |
URL | Yes | 1 | (?:url|link)=([^\t^\^]+) cs\dLabel=link\scs\d=([^\t\^]+) |
IBM Security QRadar Custom Properties for FireEye MPS Content Extension 1.0.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for FireEye MPS Content Extension 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Action | Yes | 1 | action\s?=(\w+) |
File Hash | Yes | 1 | fileHash=(\w+) |
Previous versions
For more information about previous versions of the IBM Security QRadar Custom Properties for FireEye MPS Content Extension, see IBM QRadar® FireEye MPS Content Extension.