ObserveIT

Use the IBM Security QRadar ObserveIT Content Extension to closely monitor your ObserveIT deployment.

Note: The custom property IDs for Alert ID and Alert Severity are updated in V1.0.1. If you have V1.0.0 of this extension installed, delete Alert ID and Alert Severity before you upgrade to the latest version.
Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar ObserveIT Content Extension V1.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar ObserveIT Content Extension V1.0.1.

Table 1. Custom Properties in IBM Security QRadar ObserveIT Content Extension V1.0.1
Name Optimized Regex
Process Name Yes ProcessName: "([^"]*)"

(Back to top)

IBM Security QRadar ObserveIT Content Extension V1.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar ObserveIT Content Extension V1.0.0.

Table 2. Custom Properties in IBM Security QRadar ObserveIT Content Extension V1.0.0
Name Regex
Alert ID AlertID: "([^"]*)"
Alert Rule Name RuleName: "([^"]*)"
Alert Severity Severity: "([^"]*)"
Alert Sql DB Name SqlDBName: "([^"]*)"
Alert Sql User Name SqlUserName: "([^"]*)"
Alert Time AlertTime: "([^"]*)"
Application Name ApplicationName: "([^"]*)"
Client Name ClientName: "([^"]*)"
Command Command: "([^"]*)"
Domain DomainName: "([^"]*)"
OS OS: "([^"]*)"
Process Name ProcessName: "([^"]*)"
Screenshot ID ScreenshotID: "([^"]*)"
Server Name ServerName: "([^"]*)"
Session End Date SessionLastActivityDate: "([^"]*)"
Session ID SessionID: "([^"]*)"
Session Start Date SessionDate: "([^"]*)"
User Authentication UserAuthentication: "([^"]*)"
User Name UserName: "([^"]*)"
Video URL VideoURL: "([^"]*)"
Video URL Alert VideoURL: "([^"]*)"
Video URL Session VideoURL: "([^"]*)"
Window Title WindowTitle: "([^"]*)"

(Back to top)