Microsoft ISA

Use the IBM Security QRadar Custom Properties for Microsoft ISA to closely monitor your Microsoft ISA deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0.

Table 1. Custom Properties in IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0
Name Optimized Capture Group Regex
BytesReceived Yes 1 sc-bytes=(\d+)

(?i)Bytes Received=(\d+)

BytesSent No 1 (?i)Bytes Sent=(\d+)

cs-bytes=(\d+)

Error Code Yes 1 error-info=(.*?)\t

(?i)Error info=(.*?)\t

Hostname Yes 1 (?i)Server Name=(.*?)\t

r-host=(.*?)\t

Method No 1 (?i)HTTP Method=(.*?)\t

s-operation=(.*?)\t

Referrer URL Yes 1 cs-referred=(.*?)\t

(?i)Referring Server=(.*?)\t

Rule Name Yes 1 rule=(.*?)\t

(?i)Rule=(.*?)\t

Service Name Yes 1 (?i)Service=(.*?)\t
URL Yes 1 cs-uri=(.*?)\t

(?i)URL=(.*?)\t

UrlHost Yes 1 cs-uri=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/

(?i)URL=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/

User Agent Yes 1 (?i)Client Agent=(.*?)\t

c-agent=(.*?)\t