Box sample event messages
Use this sample event message to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Box sample messages when you use the Box REST protocol
Sample 1: The following sample event message shows that the user User Name, from IP address 10.0.0.1, added an application key to Box.
{"source":{"type":"application","name":"QRadarBox","api_key":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},"created_by":{"type":"user","id":"262196057","name":"User Name","login":"user.name@domain.test"},"created_at":"2016-02-10T07:49:07-08:00","event_id":"403702014","event_type":"APPLICATION_PUBLIC_KEY_ADDED","ip_address":"10.0.0.1","type":"event","session_id":null,"additional_details":null}| QRadar field name | Highlighted payload field name |
|---|---|
| Username | name |
| Device Time | created_at |
| Event ID | event_type |
| Source IP Address | ip_address |
Sample 2: The following sample event message shows that a Suspicious Location alert was generated based on Download activity by the user Some name.
{"source":null,"created_by":{"type":"user","id":"2","name":"Unknown User","login":""},"action_by":null,"created_at":"2019-12-20T11:38:56-08:00","event_id":"97f1b31f-f143-4777-81f8-1b557b39ca33","event_type":"SHIELD_ALERT","ip_address":"10.1.2.3","type":"event","session_id":null,"additional_details":{"shield_alert":{"rule_category":"Suspicious Locations","rule_id":"123","rule_name":"Suspicious Location","risk_score":60,"alert_summary":{"alert_activities":[{"occurred_at":"2019-12-20T11:37:05-08:00","event_type":"Download","item_name":"xyz.txt","item_type":"file","item_id":"127","item_path":"ABC/DEF","ip_info":{"ip":"10.2.3.4","latitude":"44.9727","longitude":"-65.8609","registrant":"Registrant Company Name","country_code":"CA","city_name":"Saint John","region_name":"New Brunswick"},"service_name":"Box Excel Online Previewer"}]},"alert_id":2398,"priority":"medium","user":{"id":2320,"name":"Some name","email":"some@domain.test"},"link":"https://app.box.com/master/shield/alerts/123412341234","created_at":"2019-12-20T11:37:15-08:00"}}}| QRadar field name | Highlighted payload field name |
|---|---|
| Device Time | created_at |
| Source IP Address | ip_address |
| Event ID | rule_category
When the event_type value is SHIELD_ALERT, a Box Shield alert is indicated and the rule_category field is used for the Event ID. |
| Severity |
risk_score The risk_score field severity value range is 1 - 100. In QRadar, the severity value range is 1 - 10. QRadar divides the risk_score field severity value by 10, and then rounds it to the nearest integer. |
| Username | name |