Blue Coat Web Security Service sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Blue Coat Web Security Service sample message when you use the Blue Coat Web Security REST API protocol

Important: Due to formatting, paste the message format into a text editor and then remove any carriage return or line feed characters.
source-log-file=cloud_26754_20190506090002.log.gz x-bluecoat-request-tenant-id=
26754	date=2019-05-06	time=09:03:
46	x-bluecoat-appliance-name="AA11-aaa1_test"	time-taken=13
	c-ip=10.10.10.11	cs-userdn=OS\	
estUser	cs-auth-groups=-	x-exception-id=-	sc-filter-result=OBSERVED	
cs-categories="Technology/Internet;Web Ads/Analytics"	cs(Referer)=-	sc-status=
200	s-action=TCP_NC_MISS	cs-method=GET	rs(Content-
Type)=application/json	cs-uri-scheme=https	cs-host=domain.test	
cs-uri-port=443	cs-uri-path=/settings/v2.0/analog/ASAP_VES	
cs-uri-query=?os=windows&osver=10.0.17134.1.amd64fre.rs4_release.180410-1804&deviceid=%1111
111111-9C67-47FB-AE69-111111111111%7D	cs-uri-extension=-	cs(User-Agent)="OneSet
tingsQuery"	s-ip=192.168.15.66	sc-bytes=835	cs-bytes=255	x-data-leak
-detected=-	x-virus-id=-	x-bluecoat-location-id=0	x-bluecoat-location-name
="client"	x-bluecoat-access-type=client_connector	x-bluecoat-application-name="
-"	x-bluecoat-application-operation="-"	r-ip=10.10.10.
12	r-supplier-country="Ireland"	x-rs-certificate-validate-status=CERT_VALID	
x-rs-certificate-observed-errors=none	x-cs-ocsp-error=-	x-rs-ocsp-error=-	
x-rs-connection-negotiated-ssl-version=TLSv1.2	x-rs-connection-negotiated-cipher=ECDHE
-RSA-AES128-GCM-SHA256	x-rs-connection-negotiated-cipher-size=128	x-rs-certifica
te-hostname=domain.test	x-rs-certificate-hostname-categories="Technology/Internet;Web 
Ads/Analytics"	x-cs-connection-negotiated-ssl-version=TLSv1.2	x-cs-connection-ne
gotiated-cipher=ECDHE-RSA-AES256-GCM-SHA384	x-cs-connection-negotiated-cipher-size=
256	x-cs-certificate-subject=-	cs-icap-status=ICAP_NOT_SCANNED	cs-icap-e
rror-details=-	rs-icap-status=ICAP_NOT_SCANNED	rs-icap-error-details=-	
s-supplier-ip=10.10.10.12	s-supplier-country=-	s-supplier-failures=-	
x-cs-client-ip-country="Test Country"	cs-threat-risk=-	x-rs-certificate-hostnam
e-threat-risk=unlicensed	x-client-agent-type=unified-agent	x-client-os=architec
ture=x86_64%20name=Windows%2010%20Enterprise%20version=10.0.17134	x-client-agent-sw=4
.10.3.225009	x-client-device-id=11111111-fcd7-4e60-b92b-111111111111	x-client-d
evice-name=TestName01	x-client-device-type=-	x-client-security-posture-details
=-	x-client-security-posture-risk-score=-	x-bluecoat-reference-id=-	x-sc
-connection-issuer-keyring=SSL_Intercept_1	x-sc-connection-issuer-keyring-alias=
-	x-cloud-rs=-	x-bluecoat-placeholder=-	cs(X-Requested-With)=-	x-b
luecoat-transaction-uuid=fdc8d949880e442a-000000000bda1726-000000005ccff872
Table 1. Highlighted fields
QRadar field name Highlighted payload field name
Event ID

s-action

If the s-action field doesn't contain a valid value, the cs-method field is used.

Source IP c-ip
Destination IP r-ip
Destination Port cs-uri-port
Device Time date + time
Username cs-userdn