Microsoft Azure Platform sample event messages
Use these sample event messages as a way of verifying a successful integration with QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Microsoft Azure sample event messages when you use the Microsoft Azure Event Hubs protocol
Sample 1: The following sample event message shows a restart of a virtual machine.
LEEF:1.0|Microsoft|Azure Resource Manager|1.0|MICROSOFT.CLASSICCOMPUTE/VIRTUALMACHINES/RESTART/ACTION|devTime=Jun 07 2016 17:04:26 devTimeFormat=MMM dd yyyy HH:mm:ss cat=MICROSOFT.CLASSICCOMPUTE src=10.0.0.2 usrName=name@example.com sev=4 resource=testvm resourceGroup=Test Resource Group description=Restart a Virtual Machine
QRadar field name | Highlighted payload field name |
---|---|
Event ID | The LEEF header Event ID field. For example, MICROSOFT.CLASSICCOMPUTE/VIRTUALMACHINES/ RESTART/ACTION. |
Event category | cat |
Severity | sev |
Source IP | src |
Username | usrName |
Device Time | devTime |
Sample 2: The following sample event message shows the return of the access keys for the specified storage account.
{ "time": "2017-09-14T11:47:36.3237658Z", "resourceId": "/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/", "operationName": "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION", "category": "Action", "resultType": "Success", "resultSignature": "Succeeded.OK", "durationMs": 125, "callerIpAddress": "<IP_address>", "correlationId": "", "identity": {"authorization":{"scope":"/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/","action":"Microsoft.Storage/storageAccounts/listKeys/action","evidence":{"role":"Insights Management Service Role","roleAssignmentScope":"/subscriptions/","roleAssignmentId":"","roleDefinitionId":"","principalId":"","principalType":"ServicePrincipal"}},"claims":{"aud":"https://management.azure.com/","iss":"https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/","iat":"1505389356","nbf":"1505389356","exp":"1505393256","aio":"Y2VgYBBQEA5y0vTd4PVnSpSp9qVwAA==","appid":"","appidacr":"2","e_exp":"262800","http://schemas.microso ft.com/identity/claims/identityprovider":"https://sts.windows.net//","http://schemas.microsoft.com/identity/claims/objectidentifier":"","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":"","http://schmas.microsoft.com/identity/claims/tenantid":"","uti":"xxxxxx__xxxxxxxxxxxxxx","ver":"1.0"}}, "level": "Information", "location": "global", "properties": {“statusCode":"OK","serviceRequestId":""}}
QRadar field name | Highlighted payload field name |
---|---|
Event ID | operationName |
Event category | The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.STORAGE. |
Source IP | callerIpAddress |
Device Time | time |
Sample 3: The following sample event message shows that a specified secret is retrieved from a given key vault.
{"eventHubsAzureRecord":{"time": "2016-03-02T 04:31:28.6127743Z","resourceId": "/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/AZLOGTEST","operationName": "SecretGet","operationVersion": "2015-06-01","category": "AuditEvent","resultType": "Success","resultSignature": "OK" ,"resultDescription": "","durationMs": "18 7","callerIpAddress": "","correlationId": "","identity": {"claim": {"http://schemas. microsoft.com/identity/claims/objectidentifier": "","appid": "","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": ""}},"properties": {"clientInfo": "","requestUri": "","id": "https://.vault.azure.ne t/secrets/testsecret/","httpStatusCode": 200}}}
QRadar field name | Highlighted payload field name |
---|---|
Event ID | operationName |
Event category | The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.KEYVAULT. |
Device Time | time |
Source IP | callerIpAddress |
Sample 4: The following sample event message shows that a user successfully logged in to Microsoft SQL Server.
{"LogicalServerName":"servername","SubscriptionId":"42061870-6656-472f-9297-6a8f48a5e8b0","ResourceGroup":"RESOURCEGROUP","package":"SecAudit","event":"au-dit_event_shoebox","sessionName":"audit_session_for_shoebox","originalEventTimestamp":"2020-07-19T05:26:01.5293718Z","time":"2020-07-19T05:26:01.5260341Z","resourceId":"/SUBSCRIPTIONS/ACCOUNT/RESOURCEGROUPS/RESOURCEGROUP/PROVIDERS/MICROSOFT.SQL/MANAGEDINSTANCES/SERVER-NAME","category":"SQLSecurityAuditEvents","operationName":"AuditEvent","properties":{"audit_schema_version":1,"event_time":"2020-07-19T05:26:01.166Z","sequence_number":1,"action_id":"LGIS","action_name":"LOGIN SUCCEEDED","succeeded":"true","is_column_permission":"false","session_id":184,"server_principal_id":286,"database_principal_id":0,"target_server_principal_id":0,"target_database_princi-pal_id":0,"object_id":0,"user_defined_event_id":0,"transaction_id":0,"class_type":"LX","class_type_description":"LOGIN","securable_class_type":"LOGIN","duration_milliseconds":0,"response_rows":0,"affected_rows":0,"client_ip":"10.242.142.140","permission_bitmask":"00000000000000000000000000000000","sequence_group_id":"0AB33370-A776-485A-AD98-FBB08D58A684","session_server_principal_name":"LoginName","server_principal_name":"LoginName","server_principal_sid":"782fa7bb4f95374ba7fb6f346ccdafa6","database_principal_name":"","target_server_principal_name":"","target_server_principal_sid":"","target_database_principal_name":"","server_instance_name":"servername","database_name":"","schema_name":"","object_name":"","statement":"-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset con-cat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transac-tion isolation level read committed\r\n","additional_information":"<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000001</connect_options><packet_data_size>8000</packet_data_size><address>10.153.63.59</address><is_dac>0</is_dac></action_info>","user_defined_information":"","application_name":".Net SqlClient Data Provider","connection_id":"284D6271-94AD-4719-BA5A-A2834CA24F82","data_sensitivity_information":"","host_name":"HOSNAME","session_context":"","is_server_level_audit":"true","event_id":"F4FBD375-7F97-40F7-8C40-833D59CCC3D1"}}
QRadar field name | Highlighted payload field name |
---|---|
Event ID |
The Event ID is comprised from the category and action_name field values. For example, "category":"SQLSecurityAuditEvents" and "action_name":"LOGIN SUCCEEDED" results in an Event ID value of "sqlsecurityauditevents_login succeeded". |
Event category | The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.SQL. |
Device Time | time |
Username | server_principal_name |
Source IP | client_ip |