Juniper Junos OS
The IBM® QRadar Juniper Junos Content Extension 1.0.0 adds new custom event properties for Juniper Junos OS.
IBM QRadar Juniper Junos Content Extension 1.0.0
The following table shows the custom event properties in IBM QRadar® Juniper Junos Content Extension 1.0.0.
| Property Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| jnprHostname | No | 1 | ^<\S+\S+\s\S+.\s(\S+).? |
| jnprProtocolID | Yes | 1 | protocol-id="(.*?)"\s |
| jnprPolicyName | Yes | 1 | policy-name="(\S+?)"\s |
| jnprAppCategory | Yes | 1 | application-category="(\S+?)"\s |
| jnprAppSubCategory | Yes | 1 | application-sub-category="(\S+?)"\s |
| jnprAppRisk | Yes | 1 | application-risk="(\S+?)"\s |
| jnprBytesClient | Yes | 1 | bytes-from-client="(\d*)"\s |
| jnprPktServer | Yes | 1 | packets-from-server="(\d*)"\s |
| jnprBytesClient | Yes | 1 | bytes-from-client="(\d*)"\s |
| jnprBytesServer | Yes | 1 | bytes-from-server="(\d*)"\s |
| jnprTenant | Yes | 1 | logical-system-name="(\S+?)"\s |
| jnprCSAction | Yes | 1 | \saction\=\"(.*?)\"\s? |
| jnprCSRuleName | Yes | 1 | \srule-name\=\"(\S+)\" |
| jnprCSFileinfo | No | 2 | \s(filename|file-type|file-name)\=\"(\S+)\" |
| jnprCSReason | Yes | 1 | \sreason\=\"(.*?)\"\s? |
| jnprCSProfileName | Yes | 1 | \sprofile-name\=\"(\S+)\" |
| jnprURL | Yes | 1 | url\=\"(\S+?)\" |
| jnprCSFileCategory | Yes | 1 | file-category\=\"(\S+?)\" |
| jnprSSLSNI | Yes | 1 | sni\=\"(\S+?)\" |
| jnprCSProtocol | Yes | 1 | protocol\=\"(\S+)\" |
| jnprVirusInfo | Yes | 1 | virus-info\=\"(\S+?)\" |
| jnprVerdict | Yes | 1 | verdict-number\=\"(\S+?)\" |
| jnprWFCategory | Yes | 1 | category\=\"(\S+?)\" |
| jnprWFCategoryRisk | Yes | 1 | urlcategory-risk\=\"(\S+?)\" |
| jnprATPActionDetail | Yes | 1 | action-detail\=\"(\S+?)\" |
| jnprATPHttpHost | Yes | 1 | http-host\=\"(\S+?)\" |
| jnprATPThreatSev | Yes | 1 | threat-severity\=\"(\S+?)\" |
| jnprATPFeedName | Yes | 1 | feed-name\=\"(\S+?)\" |
| jnprAamwMWInfo | Yes | 1 | malware-info\=\"(\S+?)\" |
| jnprAamwLastHit | Yes | 1 | last-hit\=\"(\S+?)\" |
| jnprAamwFileHash | Yes | 1 | file-hash-lookup\=\"(\S+?)\" |
| jnprDNSQuery | Yes | 1 | query-type\=\"(\S+?)\" |
| jnprDNSQueryType | Yes | 1 | query-type\=\"(\S+?)\" |
| jnprDNSModel | Yes | 1 | \sdns-model\=\"(\S+?)\" |
| jnprDNSVrfName | Yes | 1 | vrf-name\=\"(\S+?)\" |
| jnprDNSVrfID | Yes | 1 | vrf-id\=\"(\S+?)\" |
| jnprAuthClientAdd | Yes | 1 | \sclient-address\=\"(\S+?)\" |
| jnprAuthGrpName | Yes | 1 | \sgroup-name\=\"(\S+?)\" |
| jnprAttackName | Yes | 1 | \sattack-name\=\"(\S+?)\" |
| jnprCVE | Yes | 1 | \scve-id\=\"(\S+?)\" |