Skip to main content

Microsoft IIS Web Server

Modeling rules for Microsoft IIS Web Server


This pack includes XSIAM content.

Configuration on the Server Side

  1. Open the IIS Manager.
    Server Screenshot
  2. Click the site.
    Server Screenshot
  3. In the window on the right, click Logging.
  4. Ensure the format is set to W3C.
    Server Screenshot
  5. Press Select Fields and ensure all the fields are checked.
    Server Screenshot

Pay Attention:
The following are the currently supported log schema structures:

  • Network
  date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
  • Error
  date time c-ip c-port s-ip s-port cs-version cs-method cs-uri streamid streamid_ex sc-status s-siteid s-reason s-queuename transport

Collect Events from Vendor

In order to use the collector, you need to use the following option to collect events from the vendor:

You will need to configure the vendor and product for this specific collector.

  • Pay attention: Timestamp parsing is available for the default UTC (+0000) format for Microsoft IIS.

XDRC (XDR Collector)

You will need to use the information described here.

You can configure the vendor and product by replacing [vendor][product]raw with [vendor][product]_raw.

When configuring the instance, you should use a YAML file that configures the vendor and product, as seen in the configuration below for the Microsoft IIS product.

Copy and paste the content of the following YAML file in the Filebeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).

Filebeat Configuration file:

- module: iis
    enabled: true
    var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]
    enabled: true
    var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]




Cortex XSIAM


CertificationRead more
Supported ByCortex
CreatedJune 14, 2022
Last ReleaseDecember 10, 2023

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.