Exabeam sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Exabeam sample message when you use the Syslog protocol
The following sample event message shows a critical Exabeam event. A high risk user session is detected.
<85>Apr 06 22:03:02 exabeam.exabeam.test Exabeam: timestamp="2015-04-21T15:55:21.503+08:00" id="testUser-20140402150331" url="http://localhost:8484/#sessions/userx-20140402150331" score="105" start_time="2014-04-02T15:03:31+0800" end_time="1970-01-01T08:00:00+0800" status="open" user="userx" src_host="test-host01-userx" src_ip="192.0.150.7" accounts="testUser" labels="" assets="test-host01-userx" zones="test.zone.test" top_reasons="First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group" reasons_count="10" events_count="1" alerts_count="0"
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | 105 is critical and is extracted from the score value. |
Source IP | 192.0.150.7 |
Username | userx |
Device Time | 2015-04-21T15:55:21.503+08:00 |