Juniper Junos OS

The IBM® QRadar Juniper Junos Content Extension 1.0.0 adds new custom event properties for Juniper Junos OS.

IBM QRadar Juniper Junos Content Extension 1.0.0

The following table shows the custom event properties in IBM QRadar® Juniper Junos Content Extension 1.0.0.

Table 1.
Property Name Optimized Capture Group Regex
jnprHostname No 1 ^<\S+\S+\s\S+.\s(\S+).?
jnprProtocolID Yes 1 protocol-id="(.*?)"\s
jnprPolicyName Yes 1 policy-name="(\S+?)"\s
jnprAppCategory Yes 1 application-category="(\S+?)"\s
jnprAppSubCategory Yes 1 application-sub-category="(\S+?)"\s
jnprAppRisk Yes 1 application-risk="(\S+?)"\s
jnprBytesClient Yes 1 bytes-from-client="(\d*)"\s
jnprPktServer Yes 1 packets-from-server="(\d*)"\s
jnprBytesClient Yes 1 bytes-from-client="(\d*)"\s
jnprBytesServer Yes 1 bytes-from-server="(\d*)"\s
jnprTenant Yes 1 logical-system-name="(\S+?)"\s
jnprCSAction Yes 1 \saction\=\"(.*?)\"\s?
jnprCSRuleName Yes 1 \srule-name\=\"(\S+)\"
jnprCSFileinfo No 2 \s(filename|file-type|file-name)\=\"(\S+)\"
jnprCSReason Yes 1 \sreason\=\"(.*?)\"\s?
jnprCSProfileName Yes 1 \sprofile-name\=\"(\S+)\"
jnprURL Yes 1 url\=\"(\S+?)\"
jnprCSFileCategory Yes 1 file-category\=\"(\S+?)\"
jnprSSLSNI Yes 1 sni\=\"(\S+?)\"
jnprCSProtocol Yes 1 protocol\=\"(\S+)\"
jnprVirusInfo Yes 1 virus-info\=\"(\S+?)\"
jnprVerdict Yes 1 verdict-number\=\"(\S+?)\"
jnprWFCategory Yes 1 category\=\"(\S+?)\"
jnprWFCategoryRisk Yes 1 urlcategory-risk\=\"(\S+?)\"
jnprATPActionDetail Yes 1 action-detail\=\"(\S+?)\"
jnprATPHttpHost Yes 1 http-host\=\"(\S+?)\"
jnprATPThreatSev Yes 1 threat-severity\=\"(\S+?)\"
jnprATPFeedName Yes 1 feed-name\=\"(\S+?)\"
jnprAamwMWInfo Yes 1 malware-info\=\"(\S+?)\"
jnprAamwLastHit Yes 1 last-hit\=\"(\S+?)\"
jnprAamwFileHash Yes 1 file-hash-lookup\=\"(\S+?)\"
jnprDNSQuery Yes 1 query-type\=\"(\S+?)\"
jnprDNSQueryType Yes 1 query-type\=\"(\S+?)\"
jnprDNSModel Yes 1 \sdns-model\=\"(\S+?)\"
jnprDNSVrfName Yes 1 vrf-name\=\"(\S+?)\"
jnprDNSVrfID Yes 1 vrf-id\=\"(\S+?)\"
jnprAuthClientAdd Yes 1 \sclient-address\=\"(\S+?)\"
jnprAuthGrpName Yes 1 \sgroup-name\=\"(\S+?)\"
jnprAttackName Yes 1 \sattack-name\=\"(\S+?)\"
jnprCVE Yes 1 \scve-id\=\"(\S+?)\"