Fair Warning sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Fair Warning sample message when you use the Log File protocol
Sample 1: The following sample event message shows that an employee is snooping in the Fair Warning DSM.
FairWarning::Alert Time Stamp=2010-08-06 19:25:29.0 Alert ID=71 Alert Name=Epic: Employee Snooping Event Source=Epic HS Category=HIPAA Best Practice Severity=high Timestamp=2010-08-05 00:00:01.0 Event ID=1155646552611 User ID=111 User Name=Test User User First Name=Test User Last Name=User Patient ID=1111 Patient Name=Admin root Patient First Name=Admin Patient Last Name=root Event Type=PATIENT CLINICAL INFO Event Description=MR_REPORTS Workstation ID=11111.11 Workstation IP=10.16.22.21 FileName=/path/test.txt
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Epic: Employee Snooping |
Source IP | 10.16.22.21 |
Username | Test User |
Device Time | Aug 6, 2010, 7:25:29 PM (extracted from date and time fields) |
Sample 2: The following sample event message shows excess failed logins.
FairWarning::Alert Time Stamp=2010-08-08 19:35:45.0 Alert ID=86 Alert Name=Epic Failed Logins- Exceeding Thresholds Event Source=Epic Failed Logins Category=Medical Identity Theft Severity=high Timestamp=2010-08-07 08:26:00.0 Event ID=1155644965984 User ID=2222 User Name=TestTest UserUser User First Name=TestTest User Last Name=UserUser Department=AA Application=111111-2222222.2 Event Description=A setup or operations error occured. Please consult a system administrator Details: Epic LDAP User (extended) login failed 49-ELDAP_FAIL_SBIND:failed to sbind (bind+search) using given credentials 49:Invalid credentials Workstation IP=10.251.243.41 FileName=/path/test.txt
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Epic Failed Logins- Exceeding Thresholds |
Source IP | 10.251.243.41 |
Username | TestTest UserUser |
Device Time | Aug 8, 2010, 7:35:45 PM (extracted from date and time fields) |