IBM Security Verify sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM Security Verify sample messages when you use the IBM Security Verify Event Service protocol
Sample 1: The event name for the following sample event message is Created API Client Success. The low-level category is Create activity succeeded:
{
"geoip":
{
"continent_name":"North America",
"country_iso_code":"CA",
"country_name":"Canada",
"location":
{
"lon":"-65.8609",
"lat":"44.9727"
}
},
"data":
{
"result":"success",
"api_grant_type":"authorization_code",
"clientid":"00000000-0000-0000-0000-000000000000",
"performedby":"0000000AB1",
"performedby_type":"user",
"resource":"api_client",
"origin":"10.0.0.1",
"performedby_username":"username@domain.test",
"action":"created",
"devicetype":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0",
"performedby_realm":"www.domain.test",
"target":"targetName"
},
"year":2019,
"event_type":"management",
"month":10,
"indexed_at":1571149251435,
"@processing_time":139,
"tenantid":"11111111-1111-1111-1111-111111111111",
"tenantname":"tenant.host.domain.test",
"correlationid":"CORR_ID-22222222-2222-2222-
2222-222222222222",
"servicename":"apisecurity",
"id":"33333333-3333-3333-3333-333333333333",
"time":1571149251296,
"day":15
}
Sample 2: The event name for the following sample event message is Federation Login Success. The low-level category is User Login Success:
{
"geoip":
{
"continent_name":"North America",
"city_name":"Saint John",
"country_iso_code":"CA",
"country_name":"Canada",
"region_name":"New Brunswick",
"location":
{
"lon":"-65.8609",
"lat":"44.9727"
}
},
"data":
{
"sourceinstance":"tenant.host.domain.test",
"subject":"A1B2C3D4E5",
"origin":"10.0.0.1",
"devicetype":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0",
"target":"https://tenant.host.domain.test/idaas/mtfim/sps/idaas/login/saml20/callback",
"result":"success",
"relaystate":"",
"subtype":"federation",
"primaryRealm":"cloudIdentityRealm",
"providerid":"https://domain.test/isam/sps/orgci/saml20",
"idAttribute":"userID",
"host":"saml_runtime",
"action":"login",
"sourcetype":"saml",
"realm":"tenant.host.domain.test",
"username":"username@domain.test"
},
"year":2019,
"event_type":"authentication",
"month":10,
"indexed_at":1572466567428,
"@processing_time":8,
"tenantid":"66666666-6666-6666-6666-666666666666",
"tenantname":"tenant.host.domain.test",
"correlationid":"CORR_ID-77777777-7777-7777-
7777-777777777777",
"servicename":"saml_runtime",
"id":"88888888-8888-8888-8888-888888888888",
"time":1572466567420,
"day":30
}
Sample 3: The event name for the following sample event message is SSO Login Success. The low-level category is User Login Success:
{
"geoip":
{
"continent_name":"North America",
"country_iso_code":"CA",
"country_name":"Canada",
"location":
{
"lon":"-65.8609",
"lat":"44.9727"
}
},
"data":
{
"redirecturl":"UNKNOWN",
"origin":"10.0.0.1",
"count":1,
"client_type":"public",
"userid":"A1B2C3D4E5",
"client_id":"00000000-0000-0000-0000-000000000000",
"devicetype":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0",
"applicationname":"ROPC",
"result":"success",
"subtype":"oidc",
"grant_type":"password",
"grant_id":"11111111-1111-1111-1111-111111111111",
"host":"oidc_rt",
"realm":"cloudIdentityRealm",
"applicationid":"0000000000000000001",
"client_name":"ROPC",
"applicationtype":"Custom Application",
"username":"username@domain.test"
},
"year":2019,
"event_type":"sso",
"month":10,
"indexed_at":1572287745188,
"@processing_time":16,
"tenantid":"CORR_ID-33333333-3333-3333-
3333-333333333333",
"tenantname":"tenant.host.domain.test",
"correlationid":"CORR_ID-44444444-4444-4444-
4444-444444444444",
"servicename":"oidc_rt",
"id":"55555555-5555-5555-5555-555555555555",
"time":1572287745172,
"day":28,
"application_info":
{
"name":"AppName",
"type":"Custom Application"
}
}
Sample 4: The event name for the following sample event message is Potential credential stuffing attack (SSO). The low-level category is Brute force login:
{
"event_type": "threat",
"data": {
"date": "2023-02-14",
"top5_affected_data_scope": "{'openid': 3210}",
"most_significant_data_redirecturl": [
"UNKNOWN"
],
"top5_affected_data_applicationname": "{'SSO Custom Application': 3210}",
"suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], ['10.0.0.1', 94.63, 1268, 72], ['10.0.0.2', 97.61, 654, 16], ['10.0.0.4', 97.61, 654, 16], ['10.0.0.3', 94.63, 634, 36]]",
"impacted_apps_count": 1,
"top5_affected_data_username": "{'test2': 846, 'test3': 650, 'test4': 620, 'test5': 610, 'test': 484}",
"top5_affected_data_cause": "{'test The user name or password is invalid.': 3210}",
"source": "[('tenantid', '1113f410-1111-2222-3333-e5458bbbbbb'), ('tenantname', 'test.example.com'), ('data.result', 'failure')]",
"most_significant_data_client_name": [
"SSO Custom Application"
],
"top5_affected_servicename": "{'oidc_rt': 3210}",
"most_significant_geoip_country_name": [
"xx"
],
"xfe_threat_insight": "Found 0 known malicious IPs.",
"top5_affected_tenantid": "{'1113f410-1111-2222-3333-e5458bbbbbb': 3210}",
"top5_affected_data_client_name": "{'SSO Custom Application': 3210}",
"top5_affected_tenantname": "{'test.example.com': 3210}",
"top5_affected_data_providerid": "{}",
"most_significant_servicename": [
"oidc_rt"
],
"anomalous_event_count": 3030,
"most_significant_data_applicationname": [
"SSO Custom Application"
],
"most_significant_tenantname": [
"test.example.com"
],
"most_significant_data_scope": [
"openid"
],
"summary": "Potential credential stuffing attack (SSO): 3030 anomalous events are observed, beyond normal traffic volume, from 2023-02-14 13:00:00 UTC to 2023-02-14 14:00:00 UTC.",
"severity": "warning",
"rule_name": "Potential credential stuffing attack (SSO)",
"impacted_user_count": 5,
"end_time": "2023-02-14 14:00:00",
"anomalous_suspicious_ips": [
"10.0.0.1",
"10.0.0.2",
"10.0.0.4",
"10.0.0.3"
],
"index": "event-sso-*",
"most_significant_tenantid": [
"1113f410-1111-2222-3333-e5458bbbbbb"
],
"most_significant_data_cause": [
"test The user name or password is invalid."
],
"xfe_confirmed_malicious_ips": [
],
"top5_affected_data_subtype": "{'oidc': 3210}",
"most_significant_data_subtype": [
"oidc"
],
"rule_id": "CREDENTIAL_STUFFING_SSO",
"most_significant_data_providerid": [
],
"top5_affected_geoip_country_name": "{'xx': 3210}",
"start_time": "2023-02-14 13:00:00",
"component": "Login activity",
"normal_traffic_volume": 180,
"compromised_users": "{'10.0.0.1': ['test2'], '10.0.0.3': ['test2'], '10.0.0.2': ['test2'], '10.0.0.4': ['test2']}",
"top5_affected_data_redirecturl": "{'UNKNOWN': 3210}",
"most_significant_data_username": [
"test2",
"test3",
"test4",
"test5"
]
},
"month": 2,
"indexed_at": 1676383236391,
"year": 2023,
"tenantid": "1113f410-1111-2222-3333-e5458bbbbbb",
"tenantname": "test.example.com",
"servicename": "Anomaly-Detector",
"links": {
"href": "https://test.example.com:5095",
"text": "Kibana discover dashboard link"
},
"id": "1113f410-1111-2222-3333-e5458bbbbbb",
"time": 1676383200000,
"day": 14
}