Linux
The IBM Security QRadar Linux® content extension adds new custom event properties for Linux.
IBM Security QRadar Linux Content Extensions
- Custom Properties in Linux 1.1.3 content extension
- Custom Properties in Linux 1.1.2 content extension
- Custom Properties in Linux 1.1.1 content extension
- Custom Properties in Linux 1.1.0 content extension
- Custom Properties in Linux 1.0.1 content extension
- Custom Properties in Linux 1.0.0 content extension
Custom Properties in Linux 1.1.3 content extension
The following table shows the new custom properties in the IBM Security QRadar Linux 1.1.3 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
File Extension | Yes | 1 | item=\d+ name="(?:[^\"]+\/)*..*?\.([^\.]*?(?:\.[^\.]*?){0,1})" |
Old Property Name | New Property Name |
---|---|
GroupID | Group ID |
Machine ID | Machine Identifier |
Process CommandLine | Command |
Process Id | Process ID |
UrlHost | URL Host |
Custom Properties in Linux 1.1.2 content extension
The following table shows the new custom properties in the IBM Security QRadar Linux 1.1.2 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Type | No | 1 | type=([^\s]*) |
Subject Account Name | Yes | 1 | Account Name:\s+(.*?)\s+Account Domain: |
Custom Properties in Linux 1.1.1 content extension
The following table shows the updated custom properties in the IBM Security QRadar Linux 1.1.1 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
File Directory | Yes | 1 | name="(.*?)\/" |
Process ID | Yes | 1 |
\bpid=(\d+) \bpid=(\d+) \[(\d+)\]\:\s \bpid=(\d+) pid=(\d+) pid=(\d+) |
The description for the File directory property was updated.
The expression ID for the Filename was updated to prevent issues with another content pack.
Custom Properties in Linux 1.1.0 content extension
The following table shows the custom properties in the IBM Security QRadar Linux 1.1.0 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Architecture | Yes | 1 | arch=([0-9a-fA-F]+) |
Audit ID | Yes | 1 | auid=(\d+) |
Call Type | Yes | 1 | syscall=(\d+) |
Command | Yes | 1 | crontab\[\d+\]:\s+\(.*?\)\s+([^\s]+) |
Command Arguments | Yes | 1 | argc=\d+ ((a\d+="[^";]+?" ?)+) |
Encoded File Directory | Yes | 1 | item=\d+ name=((?:[A-F0-9]{2})*(?=2F(?:[A-F0-9]{2})*\s)) item=\d+ name=([A-F0-9]+) |
Encoded Filename | Yes | 1 | item=\d+ name=(?:(?:[A-F0-9]{2})+2F)*([A-F0-9]+) |
Error Code | Yes | 1 | exit=([^\s]+) |
File Directory | Yes | 1 | item=\d+ name=\"([^\s\"]+)(?=\/)
exe=\"([\/\w]+)(?=\/) cwd="(.*?)" name="(.*?)"\s |
File Extension | Yes | 1 | item=\d+ name="(?:[^\"]+\/)*.*?\.([^\.]*?(?:\.[^\.]*?){0,1})" |
File Permissions | Yes | 1 | mode=(\d+) |
Filename | Yes | 1 | exe=\".*?\/([^\/]*?)\" item=\d+ name="(?:[^\"]+\/)*([^\"]+)" |
Group Name | Yes | 1 | group=([^,]+) |
Home Directory | No | 1 | PWD=(.*?)\s; |
Machine ID | Yes | 1 | ^(?:\S+\s+){3}(\S+) \bnode=([^\s]+) |
Parent Process ID | No | 1 | ppid=(\d+) |
Process CommandLine | Yes | 1 | CMD \((.*?)\) COMMAND=(.*) |
Process Id | No | 1 | pid=(\d+) \bpid=(\d+) |
Process Name | Yes | 1 | comm="(\w+)" |
Record Number | Yes | 1 | msg=audit\(.*?:(\d+)\) |
Terminal ID | No | 1 | tty=pts(\d+) |
UrlHost | Yes | 1 | (?:(?:http|ftp|tcp|ssl|https):\/\/)(.*?)(?=$|\s|\\|\"|\/|\:|\|) |
- Computer Name
- Process Directory
Custom Properties in Linux 1.0.1 content extension
The following table shows the custom properties in the IBM Security QRadar Linux 1.0.1 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Computer Name | No | 1 | \bnode=([^\s]+) |
File Directory | Yes | 1 |
exe=\"([\/\w]+)(?=\/) PWD=([\/\w]+)(?=\/) script=([\/\w]+)(?=\/) item=\d+ name="([^\"]*)\/[^\\]+?" |
Filename | Yes | 1 |
exe=\".*?\/([^\/]*?)\" PWD=.*\/([^\/]*?); script=.*\/([^,]*),\saccount item=\d+ name="[^\"]+\/([^\"]+)" |
Group ID | Yes | 1 |
(?i)gid=(\d+) uid\/euid\/gid\/egid\s=\s\d+\/\d+\/(\d+) |
Process CommandLine | Yes | 1 | ocomm="([^\"]+) |
Process Id | No | 1 | \bpid=(\d+) |
Process Name | No | 1 |
exe=".*\/([^"]+)" START\:\s([^\s]+) EXIT\:\s([^\s]+) exe=\"[^\"]+\/([^"]+) |
Process Path | No | 1 | exe="([^"]+)" |
User ID | Yes | 1 | (?i)uid=(\d+) |
Custom Properties in Linux 1.0.0 content extension
The following table shows the custom properties in the IBM Security QRadar Linux 1.0.0 content extension.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Application | No | 1 | (\w+)\[\d+\]\:\s |
Command | No | 1 | COMMAND=([^\s]+) running\s([^\s]+)\scommand |
Computer Name | No | 1 | node=([^\s]+) |
Effective Group ID | No | 1 | uid\/euid\/gid\/egid\s=\s\d+\/\d+\/\d+\/(\d+) |
Effective User ID | No | 1 | euid=(\d+) uid\/euid\/gid\/egid\s=\s\d+\/(\d+) |
File Directory | Yes Yes |
1 1 |
exe=\"([\/\w]+)(?=\/) PWD=([\/\w]+)(?=\/) script=([\/\w]+)(?=\/) |
Filename | Yes Yes |
1 1 |
exe=\".*?\/([^\/]*?)\" PWD=.*\/([^\/]*?); script=.*\/([^,]*),\saccount |
Group Name | No | 1 |
group=([^,]+) |
GroupID | No | 1 |
gid=(\d+) uid\/euid\/gid\/egid\s=\s\d+\/\d+\/(\d+) |
Home Directory | No | 1 |
home=([^,]+) |
Process Direction | No | 1 |
direction=([^\s]+) |
Process Id | No | 1 |
pid=(\d+) \[(\d+)\]\:\s |
Process Name | No | 1 |
exe=".*\/([^"]+)" START\:\s([^\s]+) EXIT\:\s([^\s]+) |
Shell | No | 1 | shell=([^,]+) |
User ID | No | 1 |
uid\/euid\/gid\/egid\s=\s(\d+)\/ uid=(\d+) |