ReaQta sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
IBM Security ReaQta sample message when you use the IBM Security ReaQta REST API protocol
The following sample event message shows the alert that was generated when a customer successfully enrolled with ReaQta.
{"id":"885873017052213250","localId":"885872997599021058","endpointId":"885857527403642880","triggerCondition":6,"endpoint":{"id":"885857527403642880","machineId":"eba24ff6f42f32e7b693b2aad82476c3612d934b08d0999ff0520a91d2871a45","osType":1,"cpuVendor":1,"arch":2,"cpuDescr":"Intel(R) Xeon(R) CPU X5650 @ 2.67GHz","kernel":"10.0","os":"Windows 10 Pro","name":"\","state":1,"registrationTime":"2022-07-14T13:21:32.973Z","agentVersion":"3.6.1","componentsVersions":[{"name":"keeper","version":"3.6.0","build":"19.1627291555548.commit"},{"name":"probos","version":"3.5.0","build":"3.5.0"},{"name":"rqtsentry","version":"3.6.1","build":"119.1632119719010.commit"},{"name":"rqtnetsentry","version":"3.6.0","build":"44.1627295520120.commit"},{"name":"installer","version":"3.6.1","build":""}],"isVirtualMachine":false,"isDomainController":false,"isServer":false,"sessionStart":"2022-07-14T13:21:36.953Z","sessionEnd":"2022-07-14T21:45:57.434Z","lastSeenAt":"2022-07-14T21:40:57.434Z","disconnectionReason":0,"localAddr":"10.0.0.119","hvStatus":0,"macs":["00:00:5e:00:53:ff"],"isolated":false,"connected":true,"tags":[],"groups":[{"id":"847194699834851335","name":"Digital Sales","description":"Digital Sales Group"}],"avInstalled":false},"triggerEvents":[{"id":"885873015911350273","category":"policies","localId":"885872997569660929","endpointId":"885857527403642880","receivedAt":"2022-07-14T14:23:05.718Z","happenedAt":"2022-07-14T14:23:01.345Z","relevance":88,"severity":"medium","trigger":true,"manuallyAdded":false,"process":{"id":"885857527403642880:7664:1657808581301","parentId":"885857527403642880:3172:1657804956599","endpointId":"885857527403642880","program":{"path":"c:\\users\\admin\\appdata\\roaming\\bittorrent\\bittorrent.exe","filename":"bittorrent.exe","md5":"3a72aae846afdd8c7f070f390a2151b0","sha1":"dadb6c535731cf4445ee8ce2c216585ccc80760b","sha256":"63a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c","certInfo":{"signer":"BitTorrent Inc","issuer":"Symantec Class 3 SHA256 Code Signing CA","trusted":true,"expired":false},"size":2106408,"arch":"x32","fsName":"bittorrent.exe"},"user":"DESKTOP-EXAMPLE123\\Admin","pid":7664,"startTime":"2022-07-14T14:23:01.301Z","ppid":3172,"pstartTime":"2022-07-14T13:22:36.599Z","userSID":"S-1-5-21-979315260-1110968185-3366233752-1001","privilegeLevel":"MEDIUM","noGui":false,"logonId":"0x41483"},"eventType":28,"data":{"matched":[{"policyId":"851883733567930372","versionId":"851883733567934469","policyTitle":"Hive-Cloud policy on: 63a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c","policyDescription":"Automatic policy","scope":"global","groups":[],"matcher":{"id":"851883733567938566","hash":"63a52c497a4a0f8c62d7686486fd3be8c3297024e336c0953ab2dcad9dceed3c","alg":1,"type":2}}],"_t":"r"}}],"totalEventCount":34857,"byTypeEventCount":[{"type":37,"count":8297},{"type":12,"count":6663},{"type":5,"count":5267},{"type":65,"count":4395},{"type":8,"count":3420},{"type":21,"count":3257},{"type":38,"count":1765},{"type":7,"count":966},{"type":6,"count":744},{"type":57,"count":35},{"type":10,"count":20},{"type":2,"count":12},{"type":3,"count":5},{"type":11,"count":3},{"type":13,"count":3},{"type":9,"count":2},{"type":14,"count":1},{"type":28,"count":1},{"type":30,"count":1}],"impact":88,"severity":"medium","closed":true,"closedAt":"2022-07-14T14:24:50.582Z","activityState":"archived","terminationReason":0,"receivedAt":"2022-07-14T14:23:05.990Z","happenedAt":"2022-07-14T14:23:01.352Z","tags":[],"endpointState":{"osType":1,"cpuVendor":1,"arch":2,"cpuDescr":"Intel(R) Xeon(R) CPU X5650 @ 2.67GHz","kernel":"10.0","os":"Windows 10 Pro","hvStatus":0,"name":"DESKTOP-EXAMPLE123","isolated":false,"localAddr":"10.0.0.119","macs":["00:00:5e:00:53:ff"],"componentsVersions":[{"name":"keeper","version":"3.6.0","build":"19.1627291555548.commit"},{"name":"probos","version":"3.5.0","build":"3.5.0"},{"name":"rqtsentry","version":"3.6.1","build":"119.1632119719010.commit"},{"name":"rqtnetsentry","version":"3.6.0","build":"44.1627295520120.commit"},{"name":"installer","version":"3.6.1","build":""}],"endpointVersion":"3.6.1","tags":[],"groups":[{"id":"847194699834851335","name":"Digital Sales","description":"Digital Sales Group"}]},"alertStatus":"malicious"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | 6 |
| Source IP | 10.0.0.119 |
| Username | DESKTOP-EXAMPLE123\\Admin |
| Source Mac | 00:00:5e:00:53:ff |