Alibaba ActionTrail sample event message

Use this sample event message as a way of verifying a successful integration with IBM QRadar.

The following sample event message shows Logon to the Alibaba Cloud Management console.

{"eventId":"2542222-2222-2222-2222-500d4449 ****","eventVersion":1,"eventSource":"http://account.test.com/test/login_aliyun.htm","sourceIpAddress":"10.0.0.1","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/11111 Ariver/1.1.0 AliApp(AP/10.2.28.6000) AlipayClient/10.2.11.6000 Language/zh-Hans Region/CN","eventType":"ConsoleSignin","userIdentity":{"accountId":"11122223333***","principalId":"11122223333***","type":"root-account","userName":"test"},"serviceName":"Customer","additionalEventData":{"loginAccount":"user1","isMFAChecked":"false"},"extend":"2","requestId":"111111-6b56-2222-5555-500d8d25***","eventTime":"2021-01-01T00:00:00Z","isGlobal":true,"acsRegion":"cn-abcd","eventName":"ConsoleSignin"}
Table 1. Highlighted values in the Alibaba ActionTrail sample event
QRadar field name Highlighted payload field name
Event ID eventName
Username userIdentity.userName
Source IP sourceIpAddress
Device Time eventTime

The following sample event message is for Alibaba Cloud Simple Log Service Protocol.

{"owner_id":"1111111111111111","event":{"additionalEventData":{"CallerBid":"11111"},"apiVersion":"2020-06-16","datasource":"pop-test-east-1","eventSource":"alb.test-east-1.test.com","product":"Alb","requestParameters":{"stsTokenPrincipalName":"test/example","AcsProduct":"Alb","X-Acs-Public-Access":true,"MaxResults":50,"ClientPort":13230,"SignatureType":"","RegionId":"test-east-1"},"sourceIpAddress":"audit.log.test.com","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"AAAAA-AAAAA-AAAAAA-AAA-SHA384","clientProvidedHostHeader":"alb.test-east-1.test.com"},"userAgent":"audit.log.test.com","userIdentity":{"accessKeyId":"STS.N1111111111111111111111","accountId":"1111111111111111","principalId":"11111111111111111111:example","sessionContext":{"attributes":{"mfaAuthenticated":"false"}},"type":"assumed-role","userName":"test:example"},"eventId":"11151579-1111-1111-1111-CCA7EC29C6C1","eventName":"ListLoadBalancers","eventType":"AliyunServiceEvent","acsRegion":"test-east-1","serviceName":"ALB","eventTime":"2024-02-27T09:45:08Z"},"__topic__":"actiontrail_event","__source__":"log_service","__time__":"1709027108"}
Table 2. Highlighted values in the Alibaba Cloud Simple Log Service Protocol sample event
QRadar field name Highlighted payload field name
Event ID event.eventName
Username event.userIdentity.userName
Source IP event.requestParameters.ClientPort
Device Time event.eventTime