Blue Coat Web Security Service sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Blue Coat Web Security Service sample message when you use the Blue Coat Web Security REST API protocol
Important: Due to formatting, paste the message format into a text editor and then
remove any carriage return or line feed characters.
source-log-file=cloud_26754_20190506090002.log.gz x-bluecoat-request-tenant-id=
26754 date=2019-05-06 time=09:03:
46 x-bluecoat-appliance-name="AA11-aaa1_test" time-taken=13
c-ip=10.10.10.11 cs-userdn=OS\
estUser cs-auth-groups=- x-exception-id=- sc-filter-result=OBSERVED
cs-categories="Technology/Internet;Web Ads/Analytics" cs(Referer)=- sc-status=
200 s-action=TCP_NC_MISS cs-method=GET rs(Content-
Type)=application/json cs-uri-scheme=https cs-host=domain.test
cs-uri-port=443 cs-uri-path=/settings/v2.0/analog/ASAP_VES
cs-uri-query=?os=windows&osver=10.0.17134.1.amd64fre.rs4_release.180410-1804&deviceid=%1111
111111-9C67-47FB-AE69-111111111111%7D cs-uri-extension=- cs(User-Agent)="OneSet
tingsQuery" s-ip=192.168.15.66 sc-bytes=835 cs-bytes=255 x-data-leak
-detected=- x-virus-id=- x-bluecoat-location-id=0 x-bluecoat-location-name
="client" x-bluecoat-access-type=client_connector x-bluecoat-application-name="
-" x-bluecoat-application-operation="-" r-ip=10.10.10.
12 r-supplier-country="Ireland" x-rs-certificate-validate-status=CERT_VALID
x-rs-certificate-observed-errors=none x-cs-ocsp-error=- x-rs-ocsp-error=-
x-rs-connection-negotiated-ssl-version=TLSv1.2 x-rs-connection-negotiated-cipher=ECDHE
-RSA-AES128-GCM-SHA256 x-rs-connection-negotiated-cipher-size=128 x-rs-certifica
te-hostname=domain.test x-rs-certificate-hostname-categories="Technology/Internet;Web
Ads/Analytics" x-cs-connection-negotiated-ssl-version=TLSv1.2 x-cs-connection-ne
gotiated-cipher=ECDHE-RSA-AES256-GCM-SHA384 x-cs-connection-negotiated-cipher-size=
256 x-cs-certificate-subject=- cs-icap-status=ICAP_NOT_SCANNED cs-icap-e
rror-details=- rs-icap-status=ICAP_NOT_SCANNED rs-icap-error-details=-
s-supplier-ip=10.10.10.12 s-supplier-country=- s-supplier-failures=-
x-cs-client-ip-country="Test Country" cs-threat-risk=- x-rs-certificate-hostnam
e-threat-risk=unlicensed x-client-agent-type=unified-agent x-client-os=architec
ture=x86_64%20name=Windows%2010%20Enterprise%20version=10.0.17134 x-client-agent-sw=4
.10.3.225009 x-client-device-id=11111111-fcd7-4e60-b92b-111111111111 x-client-d
evice-name=TestName01 x-client-device-type=- x-client-security-posture-details
=- x-client-security-posture-risk-score=- x-bluecoat-reference-id=- x-sc
-connection-issuer-keyring=SSL_Intercept_1 x-sc-connection-issuer-keyring-alias=
- x-cloud-rs=- x-bluecoat-placeholder=- cs(X-Requested-With)=- x-b
luecoat-transaction-uuid=fdc8d949880e442a-000000000bda1726-000000005ccff872
| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID |
s-action If the s-action field doesn't contain a valid value, the cs-method field is used. |
| Source IP | c-ip |
| Destination IP | r-ip |
| Destination Port | cs-uri-port |
| Device Time | date + time |
| Username | cs-userdn |