AWS Verified Access sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
AWS Verified Access sample messages when you use the Amazon REST API protocol
Sample 1: The following sample event message shows that access to an application is granted.
2023-02-16T20: 43: 03.713Z{"activity":"Access Granted","activity_id":"1","category_name":"Application Activity","category_uid":"8","class_name":"Access Logs","class_uid":"208001","device":{"ip":"10.0.0.1","os":{"name":"Windows 11","type":"Windows","type_id":100},"type":"Unknown","type_id":0,"uid":"99c111111111740d3a2222222f4ba65a","hw_info":{"serial_number":"ec211111b-2222-3333-438b-52fd84444f05"}},"duration":"0.185","end_time":"1676046036224","time":"1676046036224","http_request":{"http_method":"GET","url":{"hostname":"test.exmple.com","path":"/","port":443,"scheme":"h2","text":"https://test.example.com:443/"},"user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36","version":"HTTP/2.0"},"http_response":{"code":200},"identity":{"authorizations":[{"decision":"Allow","policy":{"name":"inline"}},{"decision":"Allow","policy":{"name":"inline"}}],"idp":{"name":"idc","uid":"vatp-03870111111e9779af"},"user":{"email_addr":"test@example.com","name":"testuser","uid":"281111e0-2222-33333-a99e-e59444037876"}},"message":"","metadata":{"uid":"Root=1-6311111d4-57b0b8e7722222226c26acae","logged_time":1676046491347,"version":"","product":{"name":"Verified Access","version":"0.1","vendor_name":"AWS"}},"ref_time":"2023-02-10T16:20:36.224567Z","proxy":{"ip":"10.0.0.2","port":443,"svc_name":"Verified Access","uid":"vai-01a31111151959c75"},"severity":"Informational","severity_id":"1","src_endpoint":{"ip":"10.0.0.1","port":49339},"start_time":"1676046036039","status_code":"100","status_details":"Access Granted","status_id":"1","status":"Success","type_uid":"20800101","type_name":"AccessLogs: Access Granted","unmapped":null} | QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Access Granted |
| Event Category | In QRadar, the value is AWSVerifiedAccess |
| Timestamp | 1676046036224 |
| Src IP | 10.0.0.1 |
| Src Port | 49339 |
| Username | testuser |
Sample 2: The following sample event message shows that access to an application is denied.
2023-02-16T20: 43: 03.713Z{"activity":"Access Denied","activity_id":"2","category_name":"Application Activity","category_uid":"8","class_name":"Access Logs","class_uid":"208001","device":null,"duration":"0.001","end_time":"1676241408699","time":"1676241408699","http_request":{"http_method":"GET","url":{"hostname":"test.example.com","path":"/","port":443,"scheme":"https","text":"https://test.example.com:443/"},"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"HTTP/1.1"},"http_response":{"code":400},"identity":null,"message":"","metadata":{"uid":"Root=1-11111111-7b1b7c702222236d4d63390b","logged_time":1676241792675,"version":"","product":{"name":"Verified Access","version":"0.1","vendor_name":"AWS"}},"ref_time":"2023-02-12T22:36:48.699777Z","proxy":{"ip":"10.0.0.2","port":443,"svc_name":"Verified Access","uid":"vai-01a32222251959c75"},"severity":"Informational","severity_id":"1","src_endpoint":{"ip":"10.0.0.1","port":53511},"start_time":"1676241408698","status_code":"200","status_details":"Authentication Denied","status_id":"2","status":"Failure","type_uid":"20800102","type_name":"AccessLogs: Access Denied","unmapped":null}
| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Authentication Denied |
| Event Category | In QRadar, the value is AWSVerifiedAccess |
| Timestamp | 1676241408699 |
| Src Port | 53511 |