Microsoft ISA
Use the IBM Security QRadar Custom Properties for Microsoft ISA to closely monitor your Microsoft ISA deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft ISA 1.0.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
BytesReceived | Yes | 1 | sc-bytes=(\d+) (?i)Bytes Received=(\d+) |
BytesSent | No | 1 | (?i)Bytes Sent=(\d+) cs-bytes=(\d+) |
Error Code | Yes | 1 | error-info=(.*?)\t (?i)Error info=(.*?)\t |
Hostname | Yes | 1 | (?i)Server Name=(.*?)\t r-host=(.*?)\t |
Method | No | 1 | (?i)HTTP Method=(.*?)\t s-operation=(.*?)\t |
Referrer URL | Yes | 1 | cs-referred=(.*?)\t (?i)Referring Server=(.*?)\t |
Rule Name | Yes | 1 | rule=(.*?)\t (?i)Rule=(.*?)\t |
Service Name | Yes | 1 | (?i)Service=(.*?)\t |
URL | Yes | 1 | cs-uri=(.*?)\t (?i)URL=(.*?)\t |
UrlHost | Yes | 1 | cs-uri=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/ (?i)URL=(?:http|ftp|tcp|ssl|https):\/\/(.*?)\/ |
User Agent | Yes | 1 | (?i)Client Agent=(.*?)\t c-agent=(.*?)\t |