Custom Property Extraction
The app performs extractions on the Audit Events and Traffic Summary Events received from Syslog on the QRadar instance. The app has a single Log Source Type that performs both JSON and LEEF extractions.
The following table lists the extractions (both JSON and LEEF) performed by the app:
Custom Property Name | Custom Property Expressions | Enabled |
|---|---|---|
Action Api Endpoint | "?action"?[:=]\{.*?"api_endpoint":"?(.*?)"?[,}] | FALSE |
Action Api Method | "?action"?[:=]\{.*?"api_method":"?(.*?)"?[,}] | FALSE |
Action Errors | "action":.*?"errors":"?\[(.*?)\]"? | FALSE |
Action HTTP Status Code | "?action"?[:=]\{.*?"http_status_code":"?(.*?)"?[,}] | FALSE |
Action UUID | "?action"?[:=]\{.*?"uuid":"?(.*?)"?[,}] | FALSE |
Agent Hostname | "?agent"?[:=]\{.*?"hostname":"?(.*?)"?[,}] | FALSE |
Agent Href | "?agent"?[:=]\{.*?"href":"?(.*?)"?[,}] | FALSE |
Created By Agent Href | "?created_by"?[:=]\{.*?"agent":\{.*?"href":"?(.*?)"?[,}] | FALSE |
Created By User Href | "?created_by"?[:=]\{.*?"user":\{.*?"href":"?(.*?)"?[,}] | FALSE |
Created By User Username | "?created_by"?[:=]\{.*?"user":\{.*?"username":"?(.*?)"?[,}] | FALSE |
Destination Hostname | (\"dst_hostname\":\s*\"|dstHostname=)(.*?)(\"|\s) | TRUE |
Destination Href | (\"dst_href\":\s*\"|dstHref=)(.*?)(\"|\s) | FALSE |
Destination IPV4 or IPV6 | dst=([\S]+?)((\s)) | TRUE |
Destination IPV4 or IPV6 | "dst_ip":\"(.*?)\" | TRUE |
Destination Labels App | (dstLabels=|\"dst_labels\":)\{[^\}]*?\"app\":\"(.*?)\" | TRUE |
Destination Labels Environment | (dstLabels=|\"dst_labels\":)\{[^\}]*?\"env\":\"(.*?)\" | TRUE |
Destination Labels Location | (dstLabels=|\"dst_labels\":)\{[^\}]*?\"loc\":\"(.*?)\" | TRUE |
Destination Labels Role | (dstLabels=|\"dst_labels\":)\{[^\}]*?\"role\":\"(.*?)\" | TRUE |
Direction | (\"dir\":\s*\"|dir=)(.*?)(\"|\s) | TRUE |
Event Href | event_href=([^\s\t]+) | TRUE |
Event Href Data | "?eventHref"?[=:]"?([^\s\t,}"]+)"? | FALSE |
Event Severity | sev=(.*?)\s+ | TRUE |
Event Severity | "?severity"?[=:]"?([^\s\t,}"]+)"? | TRUE |
Hostname | (\s)(\S+?)(\s)illumio_pce | TRUE |
Href | "?href"?[=:]"?([^\s\t,}"]+)"? | TRUE |
Interval Sec | (intervalSec|"interval_sec"?)\s*[:=]?\s*(\d+(\.\d+)?) | FALSE |
Notifications | "?notifications"?[:=]\[(.*)\] | FALSE |
Outcome | outcome=([^\s\t]+) | FALSE |
PCE FQDN | pce_fqdn=([^\s\t]+) | FALSE |
PCE FQDN | "pce_fqdn":"?(.*?)"?[,}] | FALSE |
Request Id | requestId=([^\s\t]+) | FALSE |
Sec | sec=([^\s\t]+) | FALSE |
Source Hostname | (\"src_hostname\":\s*\"|srcHostname=)(.*?)(\"|\s) | TRUE |
Source Href | \"src_href\":\s*\"|srcHref=)(.*?)(\"|\s) | FALSE |
Source IPV4 or IPV6 | "src_ip":\"(.*?)\" | TRUE |
Source IPV4 or IPV6 | "data":.*"src_ip":\"(.*?)\" | TRUE |
Source IPV4 or IPV6 | src=([\S]+?)((\s)) | TRUE |
Source Labels App | (srcLabels=|\"src_labels\":)\{[^\}]*?\"app\":\"(.*?)\" | TRUE |
Source Labels Environment | (srcLabels=|\"src_labels\":)\{[^\}]*?\"env\":\"(.*?)\" | TRUE |
Source Labels Location | (srcLabels=|\"src_labels\":)\{[^\}]*?\"loc\":\"(.*?)\" | TRUE |
Source Labels Role | (srcLabels=|\"src_labels\":)\{[^\}]*?\"role\":\"(.*?)\" | TRUE |
Status | "?status"?[=:]"?([^\s\t,}"]+)"? | TRUE |
Total Bytes In | "?tbi"?[:=]"?(.*?)"?[,}] | FALSE |
Total Bytes Out | "?tbo"?[:=]"?(.*?)"?[,}] | FALSE |
Traffic Count | count=([\S]+?)((\s)) | TRUE |
Traffic Count | "count":(\d+) | TRUE |
URL | url=([^\s\t]+) | FALSE |
Version | "?version"?[=:]"?([^\s\t,}"]+)"? | TRUE |