QRadar EDR sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM Security QRadar EDR sample message when you use the IBM Security QRadar EDR REST API protocol
The following sample event message shows the alert that was generated when a customer successfully enrolled with QRadar EDR.
{"id":"885873017052213250","localId":"885872997599021058","endpointId":"885857527403642880","triggerCondition":6,"endpoint":{"id":"885857527403642880","machineId":"eba24ff6f42f32e7b693b2aad82476c3612d934b08d0999ff0520a91d2871a45","osType":1,"cpuVendor":1,"arch":2,"cpuDescr":"Intel(R) Xeon(R) CPU X5650 @ 2.67GHz","kernel":"10.0","os":"Windows 10 Pro","name":"\","state":1,"registrationTime":"2022-07-14T13:21:32.973Z","agentVersion":"3.6.1","componentsVersions":[{"name":"keeper","version":"3.6.0","build":"19.1627291555548.commit"},{"name":"probos","version":"3.5.0","build":"3.5.0"},{"name":"rqtsentry","version":"3.6.1","build":"119.1632119719010.commit"},{"name":"rqtnetsentry","version":"3.6.0","build":"44.1627295520120.commit"},{"name":"installer","version":"3.6.1","build":""}],"isVirtualMachine":false,"isDomainController":false,"isServer":false,"sessionStart":"2022-07-14T13:21:36.953Z","sessionEnd":"2022-07-14T21:45:57.434Z","lastSeenAt":"2022-07-14T21:40:57.434Z","disconnectionReason":0,"localAddr":"10.0.0.119","hvStatus":0,"macs":["00:00:5e:00:53:ff"],"isolated":false,"connected":true,"tags":[],"groups":[{"id":"847194699834851335","name":"Digital Sales","description":"Digital Sales Group"}],"avInstalled":false},"triggerEvents":[{"id":"885873015911350273","category":"policies","localId":"885872997569660929","endpointId":"885857527403642880","receivedAt":"2022-07-14T14:23:05.718Z","happenedAt":"2022-07-14T14:23:01.345Z","relevance":88,"severity":"medium","trigger":true,"manuallyAdded":false,"process":{"id":"885857527403642880:7664:1657808581301","parentId":"885857527403642880:3172:1657804956599","endpointId":"885857527403642880","program":{"path":"c:\\users\\admin\\appdata\\roaming\\bittorrent\\bittorrent.exe","filename":"bittorrent.exe","md5":"3a72aae846afdd8c7f070f390a2151b0","sha1":"dadb6c535731cf4445ee8ce2c216585ccc80760b","sha256":"63a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c","certInfo":{"signer":"BitTorrent Inc","issuer":"Symantec Class 3 SHA256 Code Signing CA","trusted":true,"expired":false},"size":2106408,"arch":"x32","fsName":"bittorrent.exe"},"user":"DESKTOP-EXAMPLE123\\Admin","pid":7664,"startTime":"2022-07-14T14:23:01.301Z","ppid":3172,"pstartTime":"2022-07-14T13:22:36.599Z","userSID":"S-1-5-21-979315260-1110968185-3366233752-1001","privilegeLevel":"MEDIUM","noGui":false,"logonId":"0x41483"},"eventType":28,"data":{"matched":[{"policyId":"851883733567930372","versionId":"851883733567934469","policyTitle":"Hive-Cloud policy on: 63a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c","policyDescription":"Automatic policy","scope":"global","groups":[],"matcher":{"id":"851883733567938566","hash":"63a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c","alg":1,"type":2}}],"_t":"r"}}],"totalEventCount":34857,"byTypeEventCount":[{"type":37,"count":8297},{"type":12,"count":6663},{"type":5,"count":5267},{"type":65,"count":4395},{"type":8,"count":3420},{"type":21,"count":3257},{"type":38,"count":1765},{"type":7,"count":966},{"type":6,"count":744},{"type":57,"count":35},{"type":10,"count":20},{"type":2,"count":12},{"type":3,"count":5},{"type":11,"count":3},{"type":13,"count":3},{"type":9,"count":2},{"type":14,"count":1},{"type":28,"count":1},{"type":30,"count":1}],"impact":88,"severity":"medium","closed":true,"closedAt":"2022-07-14T14:24:50.582Z","activityState":"archived","terminationReason":0,"receivedAt":"2022-07-14T14:23:05.990Z","happenedAt":"2022-07-14T14:23:01.352Z","tags":[],"endpointState":{"osType":1,"cpuVendor":1,"arch":2,"cpuDescr":"Intel(R) Xeon(R) CPU X5650 @ 2.67GHz","kernel":"10.0","os":"Windows 10 Pro","hvStatus":0,"name":"DESKTOP-EXAMPLE123","isolated":false,"localAddr":"10.0.0.119","macs":["00:00:5e:00:53:ff"],"componentsVersions":[{"name":"keeper","version":"3.6.0","build":"19.1627291555548.commit"},{"name":"probos","version":"3.5.0","build":"3.5.0"},{"name":"rqtsentry","version":"3.6.1","build":"119.1632119719010.commit"},{"name":"rqtnetsentry","version":"3.6.0","build":"44.1627295520120.commit"},{"name":"installer","version":"3.6.1","build":""}],"endpointVersion":"3.6.1","tags":[],"groups":[{"id":"847194699834851335","name":"Digital Sales","description":"Digital Sales Group"}]},"alertStatus":"malicious"}
QRadar field name | Highlighted payload field name |
---|---|
Event ID | 6 |
Source IP | 10.0.0.119 |
Username | DESKTOP-EXAMPLE123\\Admin |
Source Mac | 00:00:5e:00:53:ff |