Microsoft Azure Platform sample event messages

Use these sample event messages as a way of verifying a successful integration with QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Microsoft Azure sample event messages when you use the Microsoft Azure Event Hubs protocol

Sample 1: The following sample event message shows a restart of a virtual machine.

LEEF:1.0|Microsoft|Azure Resource Manager|1.0|MICROSOFT.CLASSICCOMPUTE/VIRTUALMACHINES/RESTART/ACTION|devTime=Jun 07 2016 17:04:26	devTimeFormat=MMM dd yyyy HH:mm:ss	cat=MICROSOFT.CLASSICCOMPUTE	src=10.0.0.2	usrName=name@example.com		sev=4	resource=testvm	resourceGroup=Test Resource Group	description=Restart a Virtual Machine
Table 1. Highlighted fields
QRadar field name Highlighted payload field name
Event ID The LEEF header Event ID field. For example, MICROSOFT.CLASSICCOMPUTE/VIRTUALMACHINES/ RESTART/ACTION.
Event category cat
Severity sev
Source IP src
Username usrName
Device Time devTime

Sample 2: The following sample event message shows the return of the access keys for the specified storage account.

{ "time": "2017-09-14T11:47:36.3237658Z", "resourceId": "/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/", "operationName": "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION", "category": "Action", "resultType": "Success", "resultSignature": "Succeeded.OK", "durationMs": 125, "callerIpAddress": "<IP_address>", "correlationId": "", "identity": {"authorization":{"scope":"/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/","action":"Microsoft.Storage/storageAccounts/listKeys/action","evidence":{"role":"Insights Management Service Role","roleAssignmentScope":"/subscriptions/","roleAssignmentId":"","roleDefinitionId":"","principalId":"","principalType":"ServicePrincipal"}},"claims":{"aud":"https://management.azure.com/","iss":"https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/","iat":"1505389356","nbf":"1505389356","exp":"1505393256","aio":"Y2VgYBBQEA5y0vTd4PVnSpSp9qVwAA==","appid":"","appidacr":"2","e_exp":"262800","http://schemas.microso ft.com/identity/claims/identityprovider":"https://sts.windows.net//","http://schemas.microsoft.com/identity/claims/objectidentifier":"","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"","http://schmas.microsoft.com/identity/claims/tenantid":"","uti":"xxxxxx__xxxxxxxxxxxxxx","ver":"1.0"}}, "level": "Information", "location": "global", "properties": {“statusCode":"OK","serviceRequestId":""}}
Table 2. Highlighted fields
QRadar field name Highlighted payload field name
Event ID operationName
Event category The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.STORAGE.
Source IP callerIpAddress
Device Time time

Sample 3: The following sample event message shows that a specified secret is retrieved from a given key vault.

{"eventHubsAzureRecord":{"time": "2016-03-02T 04:31:28.6127743Z","resourceId": "/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/AZLOGTEST","operationName": "SecretGet","operationVersion": "2015-06-01","category": "AuditEvent","resultType": "Success","resultSignature": "OK" ,"resultDescription": "","durationMs": "18 7","callerIpAddress": "","correlationId": "","identity": {"claim": {"http://schemas. microsoft.com/identity/claims/objectidentifier": "","appid": "","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": ""}},"properties": {"clientInfo": "","requestUri": "","id": "https://.vault.azure.ne t/secrets/testsecret/","httpStatusCode": 200}}}
Table 3. Highlighted fields
QRadar field name Highlighted payload field name
Event ID operationName
Event category The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.KEYVAULT.
Device Time time
Source IP callerIpAddress

Sample 4: The following sample event message shows that a user successfully logged in to Microsoft SQL Server.

{"LogicalServerName":"servername","SubscriptionId":"42061870-6656-472f-9297-6a8f48a5e8b0","ResourceGroup":"RESOURCEGROUP","package":"SecAudit","event":"au-dit_event_shoebox","sessionName":"audit_session_for_shoebox","originalEventTimestamp":"2020-07-19T05:26:01.5293718Z","time":"2020-07-19T05:26:01.5260341Z","resourceId":"/SUBSCRIPTIONS/ACCOUNT/RESOURCEGROUPS/RESOURCEGROUP/PROVIDERS/MICROSOFT.SQL/MANAGEDINSTANCES/SERVER-NAME","category":"SQLSecurityAuditEvents","operationName":"AuditEvent","properties":{"audit_schema_version":1,"event_time":"2020-07-19T05:26:01.166Z","sequence_number":1,"action_id":"LGIS","action_name":"LOGIN SUCCEEDED","succeeded":"true","is_column_permission":"false","session_id":184,"server_principal_id":286,"database_principal_id":0,"target_server_principal_id":0,"target_database_princi-pal_id":0,"object_id":0,"user_defined_event_id":0,"transaction_id":0,"class_type":"LX","class_type_description":"LOGIN","securable_class_type":"LOGIN","duration_milliseconds":0,"response_rows":0,"affected_rows":0,"client_ip":"10.242.142.140","permission_bitmask":"00000000000000000000000000000000","sequence_group_id":"0AB33370-A776-485A-AD98-FBB08D58A684","session_server_principal_name":"LoginName","server_principal_name":"LoginName","server_principal_sid":"782fa7bb4f95374ba7fb6f346ccdafa6","database_principal_name":"","target_server_principal_name":"","target_server_principal_sid":"","target_database_principal_name":"","server_instance_name":"servername","database_name":"","schema_name":"","object_name":"","statement":"-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset con-cat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transac-tion isolation level read committed\r\n","additional_information":"<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000001</connect_options><packet_data_size>8000</packet_data_size><address>10.153.63.59</address><is_dac>0</is_dac></action_info>","user_defined_information":"","application_name":".Net SqlClient Data Provider","connection_id":"284D6271-94AD-4719-BA5A-A2834CA24F82","data_sensitivity_information":"","host_name":"HOSNAME","session_context":"","is_server_level_audit":"true","event_id":"F4FBD375-7F97-40F7-8C40-833D59CCC3D1"}}
Table 4. Highlighted fields
QRadar field name Highlighted payload field name
Event ID

The Event ID is comprised from the category and action_name field values. For example, "category":"SQLSecurityAuditEvents" and "action_name":"LOGIN SUCCEEDED" results in an Event ID value of "sqlsecurityauditevents_login succeeded".

Event category The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.SQL.
Device Time time
Username server_principal_name
Source IP client_ip