VMware AppDefense sample event messages

Use these sample event messages as a way of verifying a successful integration with QRadar.

The following table provides a sample event message when using the VMWare AppDefense API protocol for the VMware AppDefense DSM:

Event name Low-level category Sample log message

Inbound Connection Rule Violation

Firewall Deny

Table 1. VMware AppDefense sample message supported by VMware AppDefense.
Event name	Low-level category	Sample log message
Inbound Connection Rule Violation	Firewall Deny	{"id":1111111,"createdAt":1512009263.471000000,"remediation":{"id":1111111},"severity":"CRITICAL","lastReceivedAt":1516170726.957000000,"count":2,"status":"UNRESOLVED","violationDetails":{"processHashSHA256":"1000000000000000000000000000000000000000000000000000000000000000","processHash":"10000000000000000000000000000000","cli":"<cli>","localPort":"<24","processPath":"","alert":"INBOUND_CONNECTION_RULES_VIOLATION","localAddress":"192.0.2.0","ipProtocol":"tcp","preEstablishedConnection":"FALSE"},"violatingVirtualMachine":{"id":1111111,"vmToolsStatus":"TOOLS_NOT_RUNNING","vcenterUuid":"11111111-1111-1111-1111-111111111111","vmUuid":"11111111-1111-1111-1111-111111111111","ipAddress":"192.0.2.0”,"osType":"WINDOWS","vmManageabilityStatus":"HOST_MODULE_ENABLED_AND_GUEST_MODULE_MISSING","guestAgentVersion":"1.0.1.0","macAddress":"<MacAddress>","guestId":"windows8","healthStatus":"CRITICAL","service":{"id":00000},"vmId":"1","guestAgentStatus":"Disconnected","guestName":"Microsoft Windows","guestStatus":"POWERED_OFF","name":"<name>","hostName":"<Hostname>"},"violatingProcess":{"processReputationProfile":null,"fullPathName":"System","<System>":"<System>","process256Hash":"1000000000000000000000000000000000000000000000000000000000000000","processMd5Hash":"10000000000000000000000000000000"},"subRuleViolated":null,"ruleViolated":"INBOUND_CONNECTION"}
Outbound Connection Rule Violation	Firewall Deny	{"id":10101001,"createdAt":1512009263.495000000,"remediation":{"id":1551519},"severity":"CRITICAL","lastReceivedAt":1516224258.818000000,"count":00001,"status":"UNRESOLVED","violationDetails":{"processHashSHA256":"0000000000000000000000000000000000000000000000000000000000000","processHash":"0000000000000000000000000000000","cli":"C:\\<path>,"alert":"OUTBOUND_CONNECTION_RULES_VIOLATION","localAddress":"192.0.2.0","remotePort":"24","ipProtocol":"udp","preEstablishedConnection":"FALSE","remoteAddress":"0000::0:0"},"violatingVirtualMachine":{"id":101010,"vmToolsStatus":"TOOLS_NOT_RUNNING","vcenterUuid":"11111111-1111-1111-1111-111111111111","vmUuid":"11111111-1111-1111-1111-111111111111","ipAddress":"192.0.2.0","osType":"WINDOWS","vmManageabilityStatus":"HOST_MODULE_ENABLED_AND_GUEST_MODULE_MISSING","guestAgentVersion":"1.0.1.0","macAddress":"<MacAddress>","guestId":"windows8","healthStatus":"CRITICAL","service":{"id":28486},"vmId":"1","guestAgentStatus":"Disconnected","guestName":"Microsoft Windows","guestStatus":"POWERED_OFF","name":"<name>","hostName":"<host>"},"violatingProcess":{"processReputationProfile":{"processFileInfo":{"md5":"000000000000000000000000000000","sha256":"00000000000000000000000000000000000000000000000000000000000","container":false,"executable":true,"ssdeep":"100:THGFJFJFHJY7y86gHK7GHk7ghjgkghjk","fileSizeBytes":1,"peFormat":true,"firstSeenName":"<fileName>","sha1":"000000000000000000000000000000000000","crc32":null},"peHeaderMetadata":{"companyName":"Microsoft Corporation","productName":"Microsoft Windows,"version":null,"originalName":"<host>","description":"<description>","fileVersion":"192.0.2.0,"codePage":null,"productVersion":"6.3.9600.17415","language":"English (U.S.)"},"certificate":{"commonName":"Windows","certificateexinfo":{"thumbprint":"000000000000000000000000000000000000000000000","issuerThumbprint":"000000000000000000000000000000000","serialNumber":null,"validToDate":1437604140.000000000,"validFromDate":1398205740.000000000,"publisher":null,"name":null}},"trust":10,"threat":0},"fullPathName":"C:\\<path>","process256Hash":"000000000000000000000000000000000000000000000000000000000000","processMd5Hash":"000000000000000000000000000000000"},"subRuleViolated":null,"ruleViolated":"OUTBOUND_CONNECTION"}

{"id":1111111,"createdAt":1512009263.471000000,"remediation":{"id":1111111},"severity":"CRITICAL","lastReceivedAt":1516170726.957000000,"count":2,"status":"UNRESOLVED","violationDetails":{"processHashSHA256":"1000000000000000000000000000000000000000000000000000000000000000","processHash":"10000000000000000000000000000000","cli":"<cli>","localPort":"<24","processPath":"","alert":"INBOUND_CONNECTION_RULES_VIOLATION","localAddress":"192.0.2.0","ipProtocol":"tcp","preEstablishedConnection":"FALSE"},"violatingVirtualMachine":{"id":1111111,"vmToolsStatus":"TOOLS_NOT_RUNNING","vcenterUuid":"11111111-1111-1111-1111-111111111111","vmUuid":"11111111-1111-1111-1111-111111111111","ipAddress":"192.0.2.0”,"osType":"WINDOWS","vmManageabilityStatus":"HOST_MODULE_ENABLED_AND_GUEST_MODULE_MISSING","guestAgentVersion":"1.0.1.0","macAddress":"<MacAddress>","guestId":"windows8","healthStatus":"CRITICAL","service":{"id":00000},"vmId":"1","guestAgentStatus":"Disconnected","guestName":"Microsoft Windows","guestStatus":"POWERED_OFF","name":"<name>","hostName":"<Hostname>"},"violatingProcess":{"processReputationProfile":null,"fullPathName":"System","<System>":"<System>","process256Hash":"1000000000000000000000000000000000000000000000000000000000000000","processMd5Hash":"10000000000000000000000000000000"},"subRuleViolated":null,"ruleViolated":"INBOUND_CONNECTION"}

Outbound Connection Rule Violation

Firewall Deny

{"id":10101001,"createdAt":1512009263.495000000,"remediation":{"id":1551519},"severity":"CRITICAL","lastReceivedAt":1516224258.818000000,"count":00001,"status":"UNRESOLVED","violationDetails":{"processHashSHA256":"0000000000000000000000000000000000000000000000000000000000000","processHash":"0000000000000000000000000000000","cli":"C:\\<path>,"alert":"OUTBOUND_CONNECTION_RULES_VIOLATION","localAddress":"192.0.2.0","remotePort":"24","ipProtocol":"udp","preEstablishedConnection":"FALSE","remoteAddress":"0000::0:0"},"violatingVirtualMachine":{"id":101010,"vmToolsStatus":"TOOLS_NOT_RUNNING","vcenterUuid":"11111111-1111-1111-1111-111111111111","vmUuid":"11111111-1111-1111-1111-111111111111","ipAddress":"192.0.2.0","osType":"WINDOWS","vmManageabilityStatus":"HOST_MODULE_ENABLED_AND_GUEST_MODULE_MISSING","guestAgentVersion":"1.0.1.0","macAddress":"<MacAddress>","guestId":"windows8","healthStatus":"CRITICAL","service":{"id":28486},"vmId":"1","guestAgentStatus":"Disconnected","guestName":"Microsoft Windows","guestStatus":"POWERED_OFF","name":"<name>","hostName":"<host>"},"violatingProcess":{"processReputationProfile":{"processFileInfo":{"md5":"000000000000000000000000000000","sha256":"00000000000000000000000000000000000000000000000000000000000","container":false,"executable":true,"ssdeep":"100:THGFJFJFHJY7y86gHK7GHk7ghjgkghjk","fileSizeBytes":1,"peFormat":true,"firstSeenName":"<fileName>","sha1":"000000000000000000000000000000000000","crc32":null},"peHeaderMetadata":{"companyName":"Microsoft Corporation","productName":"Microsoft Windows,"version":null,"originalName":"<host>","description":"<description>","fileVersion":"192.0.2.0,"codePage":null,"productVersion":"6.3.9600.17415","language":"English (U.S.)"},"certificate":{"commonName":"Windows","certificateexinfo":{"thumbprint":"000000000000000000000000000000000000000000000","issuerThumbprint":"000000000000000000000000000000000","serialNumber":null,"validToDate":1437604140.000000000,"validFromDate":1398205740.000000000,"publisher":null,"name":null}},"trust":10,"threat":0},"fullPathName":"C:\\<path>","process256Hash":"000000000000000000000000000000000000000000000000000000000000","processMd5Hash":"000000000000000000000000000000000"},"subRuleViolated":null,"ruleViolated":"OUTBOUND_CONNECTION"}