Exabeam sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Exabeam sample message when you use the Syslog protocol

The following sample event message shows a critical Exabeam event. A high risk user session is detected.

<85>Apr 06 22:03:02 exabeam.exabeam.test Exabeam: timestamp="2015-04-21T15:55:21.503+08:00" id="testUser-20140402150331" url="http://localhost:8484/#sessions/userx-20140402150331" score="105" start_time="2014-04-02T15:03:31+0800" end_time="1970-01-01T08:00:00+0800" status="open" user="userx" src_host="test-host01-userx" src_ip="192.0.150.7" accounts="testUser" labels="" assets="test-host01-userx" zones="test.zone.test" top_reasons="First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group" reasons_count="10" events_count="1" alerts_count="0"

Table 1. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID 105 is critical and is extracted from the score value.
Source IP 192.0.150.7
Username userx
Device Time 2015-04-21T15:55:21.503+08:00