Custom Properties Dictionary

These properties are place holders. Install content extensions that contain these properties to make use of them.

Some rules in QRadar or other content extensions make use of custom properties that are available in multiple content extensions. For example, the Potential Homoglyph Usage rule in the IBM Security Threat content extension uses the URLHost custom property, which can be found in several content extensions. While you can create your own custom properties, it's a best practice to use an existing custom property rather than create your own whenever possible.

The placeholder properties in this content extension are meant to let you know about the existence of custom properties that are available to you. You can search the IBM® X-Force® Exchange portal (https://exchange.xforce.ibmcloud.com/) for any of these properties to find the content extensions that contain them.

IBM Security QRadar Custom Properties Dictionary 1.4.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.4.0.

Table 1. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.4.0
Name Optimized
Suject Account Name Yes
Terminal ID No
Record Number Yes
Call Type Yes
Encoded File Directory Yes
Encoded Filename Yes
Attribute New Value No
Authentication Package Yes
Target Server Name No
Initiated Yes
Logon Process Yes
Encoded Argument Yes
Access Yes
Scope No
Machine Identifier Yes
Account Security ID No
Description No
SAM Account Name No
Target User Domain No
User Principal Name No
Target Account Security ID No
User Right No
Ticket Encryption Type Yes
Extended Error Code Yes
IMP Hash Yes
Impersonation Level Yes
Terminated Process Name Yes
Taerget File Directory No
Integrity Level Yes
Consumer Destination Yes
Relative Target Name No
Call Trace No
Granted Access Yes
Attribute Old Value No
Signed Yes
Type No
File Permission Yes

IBM Security QRadar Custom Properties Dictionary 1.3.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.3.1.

Table 2. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.3.1
Name Optimized
Process Id Yes
Referrer URL Yes

IBM Security QRadar Custom Properties Dictionary 1.3.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.3.0.

Table 3. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.3.0
Name Optimized
API Path No
Architecture Yes
Audit ID Yes
Authentication Type No
Command Arguments Yes
Connection Direction No
DNS Request Domain No
Effective Group ID No
Effective User ID Yes
Event Type No
Finding ID No
Logon ID Yes
Module name No
Packet Type No
Parent File Directory Yes
Parent File Extension Yes
Parent Filename Yes
Parent MD5 No
Parent SHA1 Hash No
Parent SHA256 Hash No
Response Code No
Server Response Time Yes
Tactic No
Technique No
Token Elevation Type Yes
Transaction ID No

The following custom properties are removed in IBM Security QRadar Custom Properties Dictionary 1.3.0.

  • ACF2 rule key
  • Allowed cipher priority order
  • CICS terminal id
  • Dormant Offense Count
  • Events per Second Coalesced - Average 1 Min
  • Events per Second Coalesced - Peak 1 Sec
  • Events per Second Raw - Average 1 Min
  • Events per Second Raw - Peak 1 Sec
  • FIPS 140 compliance
  • Flow Source
  • Flows per Second - Average 15 Min
  • Flows per Second - Peak 1 Min
  • Identity Context name
  • Identity Context registry
  • JES line
  • JES remote terminal name
  • Member name
  • NJE node name
  • Peak EPS Rate
  • Physical DASD box serial
  • Previous CRE Name
  • RACF authority used
  • RACF profile
  • SNA global network name
  • SNA terminal name
  • System SMF id

IBM Security QRadar Custom Properties Dictionary 1.2.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties Dictionary 1.2.1.

Table 4. New or updated custom properties in IBM Security QRadar Custom Properties Dictionary 1.2.1
Name Optimized
Application Category Yes

IBM Security QRadar Custom Properties Dictionary 1.2.0

Several regex expression IDs are updated to avoid conflicts with other content extensions.

IBM Security QRadar Custom Properties Dictionary 1.1.0

The following table shows the custom properties in IBM Security QRadar Custom Properties Dictionary 1.1.0.

Table 5. Custom Properties in IBM Security QRadar Custom Properties Dictionary 1.1.0
Name Optimized
Elapsed Time No
MD5 Hash Yes
SHA1 Hash Yes
SHA256 Hash Yes

(Back to top)

IBM Security QRadar Custom Properties Dictionary 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties Dictionary 1.0.0.

Table 6. Custom Properties in IBM Security QRadar Custom Properties Dictionary 1.0.0
Name Optimized
Access allowed Yes
Access intent Yes
Access Mask Yes
Account Name Yes
AccountDomain Yes
AccountID No
ACF2 rule key Yes
Action Yes
Action Result No
Alert Sql DB Name No
Alert Sql User Name No
Alert_Category No
Allowed cipher priority order No
Analyzer No
Analyzer Host Name No
Analyzer Name No
API Search ID Yes
Application Yes
Application Category No
Application name Yes
Application Type Yes
Browser info No
Bypass request No
Bytes No
BytesReceived Yes
BytesSent Yes
ChangedAttributes No
CICS terminal id Yes
Command Yes
Completion code Yes
Completion status Yes
Content Type No
CPU_Usage Yes
CRE Description Yes
CRE Name Yes
Criticality Rating No
Current SQL id Yes
Data set name Yes
Database Name Yes
Database Username No
DD name Yes
Deployment ID Yes
Destination Host Name Yes
Destination Interface Yes
Destination Zone No
Detection Engine No
Device Name No
Distinguished Name No
DNS Request Type No
Domain No
Dormant Offense Count Yes
Email Subject No
Error Code Yes
EventID Yes
Events per Second Coalesced - Average 1 Min Yes
Events per Second Coalesced - Peak 1 Sec Yes
Events per Second Raw - Average 1 Min Yes
Events per Second Raw - Peak 1 Sec Yes
Execution Status No
File Directory Yes
File Extension Yes
File Hash Yes
File ID Yes
File Path No
File Size No
Filename Yes
FIPS 140 compliance No
Flow Source Yes
Flows per Second - Average 15 Min Yes
Flows per Second - Peak 1 Min Yes
Function code Yes
Group Domain No
Group Name Yes
Group Security ID No
GroupID Yes
Home Directory No
Hostname Yes
Identity Context name Yes
Identity Context registry Yes
Initiator User Name Yes
InstanceID Yes
IOC Name No
IOC Value No
JES line Yes
JES remote terminal name Yes
Job name Yes
Job number Yes
Job tag No
Location No
Log string Yes
Login Risk Score No
Logon Type Yes
Machine ID Yes
Member name Yes
Message No
MessageID Yes
Method No
Name No
Network Interface No
Network Security Group No
NJE node name Yes
Object Name No
ObjectType Yes
Old data set name Yes
Operation ID No
Operation Type No
Originating Host Yes
OS Name No
OS Patch Level No
OS Vendor No
OS Version No
Packets No
Packets Received No
Packets Sent No
Parent Yes
Parent GUID No
Parent Hash No
Parent MD5 No
Parent Path No
Parent Process Guid No
Parent Process ID No
Parent Process Name Yes
Parent Process Path Yes
ParentCommndLine Yes
Peak EPS Rate No
Physical DASD box serial Yes
PipeName Yes
Policy Category No
Policy Classification No
Policy ID No
Policy Name Yes
Policy Violation ID No
Port of entry Yes
Previous CRE Name Yes
Priority No
Process Direction No
Process Guid No
Process Id No
Process Name Yes
Process Path Yes
PS Encoded Command Yes
RACF authority used Yes
RACF profile Yes
Recipient Host Yes
Recipient_User Yes
Referrer URL No
Region Yes
Registry Key Yes
Registry Value Data Yes
Registry Value Name Yes
Reported By No
Resource sensitivity Yes
Retention Period No
Role Name Yes
Rule Action No
Rule ID No
Rule Name Yes
RunLevel Yes
Search Executed Yes
Sender Yes
Sensitive groups Yes
Sensitive user privileges Yes
Service Name Yes
ServiceFileName Yes
Session ID No
Share Name Yes
SharePath No
Shell No
SNA global network name Yes
SNA terminal name Yes
Source Host Name Yes
Source Interface No
SourceImage Yes
SQL Command No
StartAddress Yes
StartFunction Yes
StartModule Yes
Status Yes
Step name Yes
Storage Name Yes
Subject Yes
Submitted by Yes
Subscriber No
Subscription ID No
Subsystem name Yes
System SMF id Yes
System Status Yes
Target Account Security ID No
Target Computer Domain No
Target Computer Name No
Target Image Name Yes
Target User Name Yes
TargetImage No
TaskName No
Threat Category No
Threat Family No
Threat ID No
Threat Name Yes
Threat Score No
Threat Severity No
Threat Type No
TLS Client Cert No
TLS encryption family No
TLS encryption key length No
TLS key exchange method No
TLS message digest No
TLS or SSL protocol level No
TLS RFC level No
Transaction name Yes
UNIX access origin Yes
UNIX function Yes
URL Yes
URL Path No
URL Query String No
URL Scheme No
UrlHost Yes
User Agent No
User Authentication No
User Domain No
User ID Yes
UserType Yes
Volume serial Yes
Watchlist Name No
Watchlists No
Web Category Yes

(Back to top)