Linux

The IBM Security QRadar Linux® content extension adds new custom event properties for Linux.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Linux Content Extensions

Custom Properties in Linux 1.1.3 content extension

The following table shows the new custom properties in the IBM Security QRadar Linux 1.1.3 content extension.

Table 1. New custom properties in Linux 1.1.3 content extension
Name Optimized Capture Group Regex
File Extension Yes 1 item=\d+ name="(?:[^\"]+\/)*..*?\.([^\.]*?(?:\.[^\.]*?){0,1})"
Table 2. New property names in Linux 1.1.3 content extension
Old Property Name New Property Name
GroupID Group ID
Machine ID Machine Identifier
Process CommandLine Command
Process Id Process ID
UrlHost URL Host

Custom Properties in Linux 1.1.2 content extension

The following table shows the new custom properties in the IBM Security QRadar Linux 1.1.2 content extension.

Table 3. New custom properties in Linux 1.1.2 content extension
Name Optimized Capture Group Regex
Type No 1 type=([^\s]*)
Subject Account Name Yes 1 Account Name:\s+(.*?)\s+Account Domain:

Custom Properties in Linux 1.1.1 content extension

The following table shows the updated custom properties in the IBM Security QRadar Linux 1.1.1 content extension.

Table 4. Custom properties in Linux 1.1.1 content extension
Name Optimized Capture Group Regex
File Directory Yes 1 name="(.*?)\/"
Process ID Yes 1

\bpid=(\d+)

\bpid=(\d+)

\[(\d+)\]\:\s

\bpid=(\d+)

pid=(\d+)

pid=(\d+)

The description for the File directory property was updated.

The expression ID for the Filename was updated to prevent issues with another content pack.

Custom Properties in Linux 1.1.0 content extension

The following table shows the custom properties in the IBM Security QRadar Linux 1.1.0 content extension.

Table 5. Custom Properties in Linux 1.1.0 content extension
Name Optimized Capture Group Regex
Architecture Yes 1 arch=([0-9a-fA-F]+)
Audit ID Yes 1 auid=(\d+)
Call Type Yes 1 syscall=(\d+)
Command Yes 1 crontab\[\d+\]:\s+\(.*?\)\s+([^\s]+)
Command Arguments Yes 1 argc=\d+ ((a\d+="[^";]+?" ?)+)
Encoded File Directory Yes 1 item=\d+ name=((?:[A-F0-9]{2})*(?=2F(?:[A-F0-9]{2})*\s))

item=\d+ name=([A-F0-9]+)

Encoded Filename Yes 1 item=\d+ name=(?:(?:[A-F0-9]{2})+2F)*([A-F0-9]+)
Error Code Yes 1 exit=([^\s]+)
File Directory Yes 1 item=\d+ name=\"([^\s\"]+)(?=\/)

exe=\"([\/\w]+)(?=\/)

cwd="(.*?)"

name="(.*?)"\s

File Extension Yes 1 item=\d+ name="(?:[^\"]+\/)*.*?\.([^\.]*?(?:\.[^\.]*?){0,1})"
File Permissions Yes 1 mode=(\d+)
Filename Yes 1 exe=\".*?\/([^\/]*?)\"

item=\d+ name="(?:[^\"]+\/)*([^\"]+)"

Group Name Yes 1 group=([^,]+)
Home Directory No 1 PWD=(.*?)\s;
Machine ID Yes 1 ^(?:\S+\s+){3}(\S+)

\bnode=([^\s]+)

Parent Process ID No 1 ppid=(\d+)
Process CommandLine Yes 1 CMD \((.*?)\)

COMMAND=(.*)

Process Id No 1 pid=(\d+)

\bpid=(\d+)

Process Name Yes 1 comm="(\w+)"
Record Number Yes 1 msg=audit\(.*?:(\d+)\)
Terminal ID No 1 tty=pts(\d+)
UrlHost Yes 1 (?:(?:http|ftp|tcp|ssl|https):\/\/)(.*?)(?=$|\s|\\|\"|\/|\:|\|)
The following customer properties are removed in the IBM Security QRadar Linux 1.1.0 content extension:
  • Computer Name
  • Process Directory

(Back to top)

Custom Properties in Linux 1.0.1 content extension

The following table shows the custom properties in the IBM Security QRadar Linux 1.0.1 content extension.

Table 6. Custom Properties in Linux 1.0.1 content extension
Name Optimized Capture Group Regex
Computer Name No 1 \bnode=([^\s]+)
File Directory Yes 1

exe=\"([\/\w]+)(?=\/)

PWD=([\/\w]+)(?=\/)

script=([\/\w]+)(?=\/)

item=\d+ name="([^\"]*)\/[^\\]+?"

Filename Yes 1

exe=\".*?\/([^\/]*?)\"

PWD=.*\/([^\/]*?);

script=.*\/([^,]*),\saccount

item=\d+ name="[^\"]+\/([^\"]+)"

Group ID Yes 1

(?i)gid=(\d+)

uid\/euid\/gid\/egid\s=\s\d+\/\d+\/(\d+)

Process CommandLine Yes 1 ocomm="([^\"]+)
Process Id No 1 \bpid=(\d+)
Process Name No 1

exe=".*\/([^"]+)"

START\:\s([^\s]+)

EXIT\:\s([^\s]+)

exe=\"[^\"]+\/([^"]+)

Process Path No 1 exe="([^"]+)"
User ID Yes 1 (?i)uid=(\d+)

(Back to top)

Custom Properties in Linux 1.0.0 content extension

The following table shows the custom properties in the IBM Security QRadar Linux 1.0.0 content extension.

Table 7. Custom Properties in Linux 1.0.0 content extension
Name Optimized Capture Group Regex
Application No 1 (\w+)\[\d+\]\:\s
Command No 1 COMMAND=([^\s]+)

running\s([^\s]+)\scommand

Computer Name No 1 node=([^\s]+)
Effective Group ID No 1 uid\/euid\/gid\/egid\s=\s\d+\/\d+\/\d+\/(\d+)
Effective User ID No 1 euid=(\d+)

uid\/euid\/gid\/egid\s=\s\d+\/(\d+)

File Directory Yes

Yes

1

1

exe=\"([\/\w]+)(?=\/)

PWD=([\/\w]+)(?=\/)

script=([\/\w]+)(?=\/)

Filename Yes

Yes

1

1

exe=\".*?\/([^\/]*?)\"

PWD=.*\/([^\/]*?);

script=.*\/([^,]*),\saccount

Group Name No 1

group=([^,]+)

GroupID No 1

gid=(\d+)

uid\/euid\/gid\/egid\s=\s\d+\/\d+\/(\d+)

Home Directory No 1

home=([^,]+)

Process Direction No 1

direction=([^\s]+)

Process Id No 1

pid=(\d+)

\[(\d+)\]\:\s

Process Name No 1

exe=".*\/([^"]+)"

START\:\s([^\s]+)

EXIT\:\s([^\s]+)

Shell No 1 shell=([^,]+)
User ID No 1

uid\/euid\/gid\/egid\s=\s(\d+)\/

uid=(\d+)

(Back to top)