Custom Properties Dictionary
These properties are place holders. Install content extensions that contain these properties to make use of them.
Some rules in QRadar or other content extensions make use of custom properties that are available in multiple content extensions. For example, the Potential Homoglyph Usage rule in the IBM Security Threat content extension uses the URLHost custom property, which can be found in several content extensions. While you can create your own custom properties, it's a best practice to use an existing custom property rather than create your own whenever possible.
The placeholder properties in this content extension are meant to let you know about the existence of custom properties that are available to you. You can search the IBM® X-Force® Exchange portal (https://exchange.xforce.ibmcloud.com/) for any of these properties to find the content extensions that contain them.
- IBM Security QRadar Custom Properties Dictionary 1.4.0
- IBM Security QRadar Custom Properties Dictionary 1.3.1
- IBM Security QRadar Custom Properties Dictionary 1.3.0
- IBM Security QRadar Custom Properties Dictionary 1.2.1
- IBM Security QRadar Custom Properties Dictionary 1.2.0
- IBM Security QRadar Custom Properties Dictionary 1.1.0
- IBM Security QRadar Custom Properties Dictionary 1.0.0
IBM Security QRadar Custom Properties Dictionary 1.4.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.4.0.
| Name | Optimized |
|---|---|
| Suject Account Name | Yes |
| Terminal ID | No |
| Record Number | Yes |
| Call Type | Yes |
| Encoded File Directory | Yes |
| Encoded Filename | Yes |
| Attribute New Value | No |
| Authentication Package | Yes |
| Target Server Name | No |
| Initiated | Yes |
| Logon Process | Yes |
| Encoded Argument | Yes |
| Access | Yes |
| Scope | No |
| Machine Identifier | Yes |
| Account Security ID | No |
| Description | No |
| SAM Account Name | No |
| Target User Domain | No |
| User Principal Name | No |
| Target Account Security ID | No |
| User Right | No |
| Ticket Encryption Type | Yes |
| Extended Error Code | Yes |
| IMP Hash | Yes |
| Impersonation Level | Yes |
| Terminated Process Name | Yes |
| Taerget File Directory | No |
| Integrity Level | Yes |
| Consumer Destination | Yes |
| Relative Target Name | No |
| Call Trace | No |
| Granted Access | Yes |
| Attribute Old Value | No |
| Signed | Yes |
| Type | No |
| File Permission | Yes |
IBM Security QRadar Custom Properties Dictionary 1.3.1
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.3.1.
| Name | Optimized |
|---|---|
| Process Id | Yes |
| Referrer URL | Yes |
IBM Security QRadar Custom Properties Dictionary 1.3.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.3.0.
| Name | Optimized |
|---|---|
| API Path | No |
| Architecture | Yes |
| Audit ID | Yes |
| Authentication Type | No |
| Command Arguments | Yes |
| Connection Direction | No |
| DNS Request Domain | No |
| Effective Group ID | No |
| Effective User ID | Yes |
| Event Type | No |
| Finding ID | No |
| Logon ID | Yes |
| Module name | No |
| Packet Type | No |
| Parent File Directory | Yes |
| Parent File Extension | Yes |
| Parent Filename | Yes |
| Parent MD5 | No |
| Parent SHA1 Hash | No |
| Parent SHA256 Hash | No |
| Response Code | No |
| Server Response Time | Yes |
| Tactic | No |
| Technique | No |
| Token Elevation Type | Yes |
| Transaction ID | No |
The following custom properties are removed in IBM Security QRadar Custom Properties Dictionary 1.3.0.
- ACF2 rule key
- Allowed cipher priority order
- CICS terminal id
- Dormant Offense Count
- Events per Second Coalesced - Average 1 Min
- Events per Second Coalesced - Peak 1 Sec
- Events per Second Raw - Average 1 Min
- Events per Second Raw - Peak 1 Sec
- FIPS 140 compliance
- Flow Source
- Flows per Second - Average 15 Min
- Flows per Second - Peak 1 Min
- Identity Context name
- Identity Context registry
- JES line
- JES remote terminal name
- Member name
- NJE node name
- Peak EPS Rate
- Physical DASD box serial
- Previous CRE Name
- RACF authority used
- RACF profile
- SNA global network name
- SNA terminal name
- System SMF id
IBM Security QRadar Custom Properties Dictionary 1.2.1
The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.2.1.
| Name | Optimized |
|---|---|
| Application Category | Yes |
IBM Security QRadar Custom Properties Dictionary 1.2.0
Several regex expression IDs are updated to avoid conflicts with other content extensions.
IBM Security QRadar Custom Properties Dictionary 1.1.0
The following table shows the custom properties in IBM Security QRadar Custom Properties Dictionary 1.1.0.
| Name | Optimized |
|---|---|
| Elapsed Time | No |
| MD5 Hash | Yes |
| SHA1 Hash | Yes |
| SHA256 Hash | Yes |
IBM Security QRadar Custom Properties Dictionary 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties Dictionary 1.0.0.
| Name | Optimized |
|---|---|
| Access allowed | Yes |
| Access intent | Yes |
| Access Mask | Yes |
| Account Name | Yes |
| AccountDomain | Yes |
| AccountID | No |
| ACF2 rule key | Yes |
| Action | Yes |
| Action Result | No |
| Alert Sql DB Name | No |
| Alert Sql User Name | No |
| Alert_Category | No |
| Allowed cipher priority order | No |
| Analyzer | No |
| Analyzer Host Name | No |
| Analyzer Name | No |
| API Search ID | Yes |
| Application | Yes |
| Application Category | No |
| Application name | Yes |
| Application Type | Yes |
| Browser info | No |
| Bypass request | No |
| Bytes | No |
| BytesReceived | Yes |
| BytesSent | Yes |
| ChangedAttributes | No |
| CICS terminal id | Yes |
| Command | Yes |
| Completion code | Yes |
| Completion status | Yes |
| Content Type | No |
| CPU_Usage | Yes |
| CRE Description | Yes |
| CRE Name | Yes |
| Criticality Rating | No |
| Current SQL id | Yes |
| Data set name | Yes |
| Database Name | Yes |
| Database Username | No |
| DD name | Yes |
| Deployment ID | Yes |
| Destination Host Name | Yes |
| Destination Interface | Yes |
| Destination Zone | No |
| Detection Engine | No |
| Device Name | No |
| Distinguished Name | No |
| DNS Request Type | No |
| Domain | No |
| Dormant Offense Count | Yes |
| Email Subject | No |
| Error Code | Yes |
| EventID | Yes |
| Events per Second Coalesced - Average 1 Min | Yes |
| Events per Second Coalesced - Peak 1 Sec | Yes |
| Events per Second Raw - Average 1 Min | Yes |
| Events per Second Raw - Peak 1 Sec | Yes |
| Execution Status | No |
| File Directory | Yes |
| File Extension | Yes |
| File Hash | Yes |
| File ID | Yes |
| File Path | No |
| File Size | No |
| Filename | Yes |
| FIPS 140 compliance | No |
| Flow Source | Yes |
| Flows per Second - Average 15 Min | Yes |
| Flows per Second - Peak 1 Min | Yes |
| Function code | Yes |
| Group Domain | No |
| Group Name | Yes |
| Group Security ID | No |
| GroupID | Yes |
| Home Directory | No |
| Hostname | Yes |
| Identity Context name | Yes |
| Identity Context registry | Yes |
| Initiator User Name | Yes |
| InstanceID | Yes |
| IOC Name | No |
| IOC Value | No |
| JES line | Yes |
| JES remote terminal name | Yes |
| Job name | Yes |
| Job number | Yes |
| Job tag | No |
| Location | No |
| Log string | Yes |
| Login Risk Score | No |
| Logon Type | Yes |
| Machine ID | Yes |
| Member name | Yes |
| Message | No |
| MessageID | Yes |
| Method | No |
| Name | No |
| Network Interface | No |
| Network Security Group | No |
| NJE node name | Yes |
| Object Name | No |
| ObjectType | Yes |
| Old data set name | Yes |
| Operation ID | No |
| Operation Type | No |
| Originating Host | Yes |
| OS Name | No |
| OS Patch Level | No |
| OS Vendor | No |
| OS Version | No |
| Packets | No |
| Packets Received | No |
| Packets Sent | No |
| Parent | Yes |
| Parent GUID | No |
| Parent Hash | No |
| Parent MD5 | No |
| Parent Path | No |
| Parent Process Guid | No |
| Parent Process ID | No |
| Parent Process Name | Yes |
| Parent Process Path | Yes |
| ParentCommndLine | Yes |
| Peak EPS Rate | No |
| Physical DASD box serial | Yes |
| PipeName | Yes |
| Policy Category | No |
| Policy Classification | No |
| Policy ID | No |
| Policy Name | Yes |
| Policy Violation ID | No |
| Port of entry | Yes |
| Previous CRE Name | Yes |
| Priority | No |
| Process Direction | No |
| Process Guid | No |
| Process Id | No |
| Process Name | Yes |
| Process Path | Yes |
| PS Encoded Command | Yes |
| RACF authority used | Yes |
| RACF profile | Yes |
| Recipient Host | Yes |
| Recipient_User | Yes |
| Referrer URL | No |
| Region | Yes |
| Registry Key | Yes |
| Registry Value Data | Yes |
| Registry Value Name | Yes |
| Reported By | No |
| Resource sensitivity | Yes |
| Retention Period | No |
| Role Name | Yes |
| Rule Action | No |
| Rule ID | No |
| Rule Name | Yes |
| RunLevel | Yes |
| Search Executed | Yes |
| Sender | Yes |
| Sensitive groups | Yes |
| Sensitive user privileges | Yes |
| Service Name | Yes |
| ServiceFileName | Yes |
| Session ID | No |
| Share Name | Yes |
| SharePath | No |
| Shell | No |
| SNA global network name | Yes |
| SNA terminal name | Yes |
| Source Host Name | Yes |
| Source Interface | No |
| SourceImage | Yes |
| SQL Command | No |
| StartAddress | Yes |
| StartFunction | Yes |
| StartModule | Yes |
| Status | Yes |
| Step name | Yes |
| Storage Name | Yes |
| Subject | Yes |
| Submitted by | Yes |
| Subscriber | No |
| Subscription ID | No |
| Subsystem name | Yes |
| System SMF id | Yes |
| System Status | Yes |
| Target Account Security ID | No |
| Target Computer Domain | No |
| Target Computer Name | No |
| Target Image Name | Yes |
| Target User Name | Yes |
| TargetImage | No |
| TaskName | No |
| Threat Category | No |
| Threat Family | No |
| Threat ID | No |
| Threat Name | Yes |
| Threat Score | No |
| Threat Severity | No |
| Threat Type | No |
| TLS Client Cert | No |
| TLS encryption family | No |
| TLS encryption key length | No |
| TLS key exchange method | No |
| TLS message digest | No |
| TLS or SSL protocol level | No |
| TLS RFC level | No |
| Transaction name | Yes |
| UNIX access origin | Yes |
| UNIX function | Yes |
| URL | Yes |
| URL Path | No |
| URL Query String | No |
| URL Scheme | No |
| UrlHost | Yes |
| User Agent | No |
| User Authentication | No |
| User Domain | No |
| User ID | Yes |
| UserType | Yes |
| Volume serial | Yes |
| Watchlist Name | No |
| Watchlists | No |
| Web Category | Yes |