Fair Warning sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Fair Warning sample message when you use the Log File protocol

Sample 1: The following sample event message shows that an employee is snooping in the Fair Warning DSM.

FairWarning::Alert Time Stamp=2010-08-06 19:25:29.0     Alert ID=71     Alert Name=Epic: Employee Snooping      Event Source=Epic HS    Category=HIPAA Best Practice    Severity=high   Timestamp=2010-08-05 00:00:01.0 Event ID=1155646552611  User ID=111     User Name=Test User     User First Name=Test    User Last Name=User     Patient ID=1111 Patient Name=Admin root Patient First Name=Admin        Patient Last Name=root  Event Type=PATIENT CLINICAL INFO        Event Description=MR_REPORTS    Workstation ID=11111.11 Workstation IP=10.16.22.21      FileName=/path/test.txt
Table 1. Highlighted values in the Fair Warning event
QRadar field name Highlighted values in the event payload
Event ID Epic: Employee Snooping
Source IP 10.16.22.21
Username Test User
Device Time Aug 6, 2010, 7:25:29 PM (extracted from date and time fields)

Sample 2: The following sample event message shows excess failed logins.

FairWarning::Alert Time Stamp=2010-08-08 19:35:45.0     Alert ID=86     Alert Name=Epic Failed Logins- Exceeding Thresholds     Event Source=Epic Failed Logins Category=Medical Identity Theft Severity=high   Timestamp=2010-08-07 08:26:00.0 Event ID=1155644965984  User ID=2222    User Name=TestTest UserUser     User First Name=TestTest        User Last Name=UserUser Department=AA   Application=111111-2222222.2    Event Description=A setup or operations error occured. Please consult a system administrator    Details:   Epic LDAP User (extended) login failed  49-ELDAP_FAIL_SBIND:failed to sbind (bind+search) using given credentials  49:Invalid credentials    Workstation IP=10.251.243.41    FileName=/path/test.txt
Table 2. Highlighted values in the Fair Warning sample event
QRadar field name Highlighted values in the event payload
Event ID Epic Failed Logins- Exceeding Thresholds
Source IP 10.251.243.41
Username TestTest UserUser
Device Time Aug 8, 2010, 7:35:45 PM (extracted from date and time fields)