IBM Security Trusteer sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

IBM Security Trusteer sample messages when you use the HTTP Receiver protocol

Sample 1:

The following sample event message shows that the same device made multiple suspicious access attempts. It also shows that the event was generated from the user IP address 10.10.0.2.

{"feed_name":"account_takeover","version":"9","datetime":"2020-06-10 07:32:29","event_id":"e783d0dc7ae","last_user_ip":"10.0.0.2","last_user_ipv6":null,"app_name":"trusteerqa_business","detected_at":"http://host.domain2.test","activity":"policy58","translated_recommendation":null,"recommendation_reason_text":"Suspicious multiple accesses pattern from the same device","recommendation_reason_id":58,"risk_score":950,"resolution_id":"qnuwkfqcdajojinseudfxbhftlimptpu","policy_manager_recommendation":null,"policy_manager_reason":null,"policy_manager_reason_id":null,"policy_manager_risk_score":null,"persistent_device_id":"N/A","new_device_indication_zero_one":0,"country":null,"region":null,"city":null,"isp":null,"organization":null,"useragent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/72.0.3626.121 Safari/537.36","referrer":"","x_forwarded_for":"10.0.0.2","screen_resolution":null,"screen_dpi":24,"screen_touch":0,"client_time_zone":0,"rapport_machine_id":"","client_language":"en-US","platform":"Linux x86_64","cpu":"Linux x86_64","os":"Linux","accept_encoding":"gzip, deflate","mimes":0,"navigator_props":4231119849,"browser_version":"72.0.3626","client_charset":"UTF-8","browser":"Chrome","accept_charset":"","accept_language":"","network_data":"10.0.0.2","plugins":0,"malware_logical_name":"","infection_severity":"high","malware_signature":null,"formatted_is_targeted":"Maybe","encrypted_user_id":"","encryption_key_id":"trusteerqa.1.20110112-102448","app_id":"multi_login_tma","customer_session_id":"2s3as2jek91t98mb3mggkrt881","persistent_user_id":"aaaabbbbcccc0006"}
Table 1. Highlighted fields
QRadar field name Highlighted payload field name
Event ID recommendation_reason_id
Event Name recommendation_reason_text
Source IP last_user_ip
Device Time datetime

Sample 2 (with IPv6):

The following sample event message shows that unusual activity from a suspicious device that uses the Tor browser was detected. It also shows that the event was generated from the user IP address 10.10.0.2.

{"feed_name":"account_takeover","version":"9","datetime":"2018-08-07 12:11:31","event_id":"ecdc7245542","last_user_ip":null,"last_user_ipv6":"2001:DB8:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF","app_name":"tma2","detected_at":"https://host.domain.test","activity":"login","translated_recommendation":"Alert","recommendation_reason_text":"Unusual activity from a suspicious device using the Tor browser","recommendation_reason_id":71,"risk_score":114,"resolution_id":"zguiblxuursugnjtulwawxhcmwixsfbs","policy_manager_recommendation":null,"policy_manager_reason":null,"policy_manager_reason_id":null,"policy_manager_risk_score":null,"persistent_device_id":"N/A","new_device_indication_zero_one":0,"country":"US","region":"99","city":null,"isp":"This is some ISP text","organization":"Test Organization","useragent":"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko","referrer":"/test/test/TAF","x_forwarded_for":"10.10.0.2","screen_resolution":null,"screen_dpi":8,"screen_touch":5,"client_time_zone":0,"rapport_machine_id":"-","client_language":"tr-TR","platform":"Linux x86_64","cpu":"Linux x86_64","os":"Windows 7","accept_encoding":"gzip, deflate, br","mimes":0,"navigator_props":4168486725,"browser_version":"11.0","client_charset":"UTF-8","browser":"IE","accept_charset":"","accept_language":"tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3","network_data":"10.10.0.2","plugins":3,"malware_logical_name":"","infection_severity":"high","malware_signature":null,"formatted_is_targeted":"Maybe","encrypted_user_id":"14D007Bc5cABF5dB23a24CB6CEF7a903f677a43Fbf27EaC34d0bE3242477337f8CF38A65c357b34480AFaBaaC8aBc60d6F8c3B05fdcbB1eDBaaF5fCd5eb8b704Eeac1F05a0a9067cEb9bc0AedA7aa9aF0016D1cA6C2AD3cEF6D22fb6B9E976ffbCcD60652Ca4Fc2EA0A8559AD4bc0c4FfE7c3537Bc3fdacaC9a322c4fC96d5cb05320E7FBAeac5E2a89aD5DAbcBF4575e205bc5a0DF35e06c2026C3df1D8728bAf1aD3120DC0","encryption_key_id":"","app_id":"tma2","customer_session_id":"ADf9FbFe9C01FDc5251FdFeEDCe16Cfa","persistent_user_id":"aaaabbbbcccc0002"}
Table 2. Highlighted fields
QRadar field name Highlighted payload field name
Event ID recommendation_reason_id
Event Name recommendation_reason_text
Source IP last_user_ip
Device Time datetime