Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Bit9 Security Platform

 

The security content pack adds custom event properties to the Bit9 Security Platform appliance.

JSA uses JDBC to collect events from Bit9 Security Platform for standard auditing, authentication, and system events. This security content pack contains custom event properties for important fields that can be leveraged by administrators in reports or searches. The content pack RPM adds the custom event properties on top of the existing custom event properties that are provided with JSA.

JSA Bit9 Security Platform Content Extension V1.0.2

The following table shows the custom properties that were updated in JSA Bit9 Security Platform Content Extension V1.0.2.

Table 1: Updated Custom Properties in JSA Bit9 Security Platform Content Extension V1.0.2

Name

Optimized

Message

No

JSA Bit9 Security Platform Content Extension V1.0.1

The following table shows the custom properties that were updated in JSA Bit9 Security Platform Content Extension V1.0.1.

Table 2: Updated Custom Properties in JSA Bit9 Security Platform Content Extension V1.0.1

Name

Optimized

Capture Group

Regex

Ban Name

Yes

1

banName=([^\t]+)[\t]*

Destination Host Name

Yes

1

dstHostName=([^\t]+)[\t]*

External ID

Yes

1

externalId=([^\t]+)[\t]*

File Hash

Yes

1

fileHash=([^\t]+)[\t]*

File ID

Yes

1

fileId=([^\t]+)[\t]*

File Path

No

1

filePath=([^\t]+)[\t]*

File Threat

Yes

1

fileThreat=([^\t]+)[\t]*

File Trust

Yes

1

fileTrust=([^\t]+)[\t]*

Filename

Yes

1

fileName=([^\t]+)[\t]*

Indicator Name

No

1

indicatorName=([^\t]+)[\t]*

Installer Filename

Yes

1

installerFileName=([^\t]+)[\t]*

Message

Yes

1

msg=([^\t]+)[\t]*

Parity Policy

Yes

1

policy=([^\t]+)[\t]*

Process Key

Yes

1

processKey=([^\t]+)[\t]*

Process Threat

Yes

1

processThreat=([^\t]+)[\t]*

Process Trust

Yes

1

processTrust=([^\t]+)[\t]*

Received Time

Yes

1

receivedTime=([^\t]+)[\t]*

Root Hash

Yes

1

rootHash=([^\t]+)[\t]*

Rule Name

Yes

1

ruleName=([^\t]+)[\t]*

Source Host Name

Yes

1

srcHostName=([^\t]+)[\t]*

Source Process

Yes

1

srcProcess=([^\t]+)[\t]*

Updater Name

No

1

updaterName=([^\t]+)[\t]*

JSA Bit9 Security Platform Content Extension V1.0.0

The following table shows the custom properties in JSA Bit9 Security Platform Content Extension V1.0.0.

Table 3: Custom Properties in JSA Bit9 Security Platform Content Extension V1.0.0

Name

Description

Ban Name

Ban name that identifies why the Bit9 Agent blocked an access to a file.

Indicator Name

Name of the threat indicator associated with the event; if present.

File Threat

File threat from the Bit9 SRS of the file associated with the event. Pending implies that SRS lookup was not yet performed. This is a numeric value: -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious.

File Trust

File trust from the Bit9 SRS of the file associated with the event. Pending implies that SRS lookup was not yet performed. This is a numeric value: -2 pending -1 unknown 0-10 Trust value.

Process Key

Unique proprietary key identifying the instance of the process on a specific computer.

Process Threat

Process threat from the Bit9 SRS of the process associated with the event. Pending implies that SRS lookup was not yet performed but will be.

Process Trust

Process trust from the Bit9 SRS of the process associated with the event. Pending implies that SRS lookup was not yet performed but will be.

Updater Name

Updater name related to the event.