Oracle Cloud Infrastructure sample event messages
The following sample event message shows events that are collected from Oracle Infrastructure Cloud (OCI)..
Sample event message 1
In the following audit event, Oracle Cloud Infrastructure (OCI) indicates that a request to retrieve a stream was successfully processed.
{"data":{"additionalDetails":{"id":"ocid1.stream.oc1.ap-region-1.<unique_ID>"},"availabilityDomain":"AD1","compartmentId":"ocid1.tenancy.oc1..<unique_ID>","compartmentName":"compartmentname1","definedTags":{"Oracle-Tags":{"CreatedBy":"default/test.user@example.com","CreatedOn":"2025-04-03T08:44:41.578Z"}},"eventGroupingId":"EB2D63DCA6C4497B82A2C408FE109FD9/3D0CCC60EA6C45F85FDEA948CF5AA79E/1658D181D6F2A313C3F32694E3FA7CA9","eventName":"getStream","freeformTags":{},"identity":{"authType":null,"callerId":null,"callerName":null,"consoleSessionId":null,"credentials":null,"ipAddress":"<IP_address>","principalId":"ocid1.serviceconnector.oc1.ap-region-1.<unique_ID>","principalName":"User Name","tenantId":"ocid1.tenancy.oc1..<unique_ID>","userAgent":"Vert.x-WebClient/3.9.13"},"message":"Stream1 getStream succeed","request":{"action":"GET","headers":{"User-Agent":["Vert.x-WebClient/3.9.13","Oracle-JavaSDK/2.78.0 (Linux/5.15.0-306.177.4.el9uek.aarch64; Java/17.0.14; Java HotSpot(TM) 64-Bit Server VM/17.0.14+8-LTS-jvmci-23.0-b54)"],"X-Forwarded-For":["<IP_address>"],"auth-info":["{\"tenantId\":\"ocid1.tenancy.oc1..<unique_ID>\",\"subjectId\":\"ocid1.serviceconnector.oc1.ap-region-1.<unique_ID>\",\"claims\":[{\"key\":\"svc\",\"value\":\"service-connector-hub\",\"issuer\":\"authService.example1.com\"},{\"key\":\"h_date\",\"value\":\"Mon, 07 Apr 2025 08:34:33 GMT\",\"issuer\":\"h\"},{\"key\":\"res_tenant\",\"value\":\"ocid1.tenancy.oc1..<unique_ID>\",\"issuer\":\"authService.example1.com\"},{\"key\":\"ptype\",\"value\":\"resource\",\"issuer\":\"authService.example1.com\"},{\"key\":\"svcTenantId\",\"value\":\"ocid1.tenancy.oc1..aaaaaaaavjqvxoth73v7tyvcu7n7hlnfijd5pcow3ioo7ac57yacvc3eb7fa\",\"issuer\":\"authService.example1.com\"},{\"key\":\"res_type\",\"value\":\"serviceconnector\",\"issuer\":\"authService.example1.com\"},{\"key\":\"authorization\",\"value\":\"Signature ***\",keyId=\\\"<key_ID>\\\",algorithm=\\\"rsa-sha256\\\",signature=\\\"<signature>\\\",version=\\\"1\\\"\",\"issuer\":\"h\"},{\"key\":\"res_id\",\"value\":\"ocid1.serviceconnector.oc1.ap-region-1.<unique_ID>\",\"issuer\":\"authService.example1.com\"},{\"key\":\"ttype\",\"value\":\"res_sp\",\"issuer\":\"authService.example1.com\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20180418/streams/ocid1.stream.oc1.ap-region-1.<unique_ID>\",\"issuer\":\"h\"},{\"key\":\"res_compartment\",\"value\":\"ocid1.tenancy.oc1..<unique_ID>\",\"issuer\":\"authService.example1.com\"},{\"key\":\"h_host\",\"value\":\"streaming.ap-region-1.oci.oraclecloud.com\",\"issuer\":\"h\"},{\"key\":\"opc-dgs\",\"value\":\"V3,ocid1.tenancy.oc1..<unique_ID>,AAAAAQAAAAB/f39/AAAAjw==,AAAAAA==\",\"issuer\":\"authService.example1.com\"}]}"],"opc-request-id":["EB2D63DCA6C4497B82A2C408FE109FD9/3D0CCC60EA6C45F85FDEA948CF5111111/1658D181D6F2A313C3F32694E3FA7CA9"]},"id":"EB1111111A6C4497B82A2C408FE109FD9/CF3BC30DBB2AE4FEBFE3BD5971C503E7/EB8C5A108CBA223274DA9FDDECE07E89","parameters":{"tenancy":["ocid1.tenancy.oc1..<unique_ID>"]},"path":"/20180418/gateway/streams/ocid1.stream.oc1.ap-region-1.<unique_ID>"},"resourceId":"ocid1.stream.oc1.ap-region-1.<unique_ID>","response":{"headers":{"Content-Length":["1305"],"Content-Type":["application/json"],"Date":["Mon, 07 Apr 2025 08:34:33 GMT"],"ETag":["\"8fd6e385-d19f-49ba-8373-c99192d322c6-80a6487e-9619-471e-beba-119fc5cbcd43\""],"Vary":["Accept-Encoding"],"opc-request-id":["EB2D63DCA6C4497B82A2C408FE109FD9/CF3BC30DBB2AE4FEBFE3BD5971C503E7/EB8C5A108CBA223274DA9FDDECE07E89"]},"message":null,"payload":null,"responseTime":"2025-04-07T08:34:33.774Z","status":"200"},"stateChange":{"current":null,"previous":null}},"dataschema":"2.0","id":"cf76df7b-269f-45c7-9398-f57afe85088a","oracle":{"compartmentid":"ocid1.tenancy.oc1..<unique_ID>","ingestedtime":"2025-04-07T08:34:42.669Z","loggroupid":"_Audit","tenantid":"ocid1.tenancy.oc1..<unique_ID>"},"source":"Stream1","specversion":"1.0","time":"2025-04-07T08:34:33.766Z","type":"com.oraclecloud.Streaming-ControlPlane.getStream"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | data.eventName + Status |
| Source IP | data.identity.ipAddress |
| Username | data.identity.principalName |
| Time | time |
Sample event message 2
In the following sample event, OCI Object Storage indicates that a new object was successfully uploaded to a bucket.
{"data":{"additionalDetails":{"versionId":"b6af23b3-1111-1111-bdda-e03d85b818e8"},"apiType":"native","authenticationType":"user","bucketCreator":"ocid1.user.oc1..<unique_ID>","bucketId":"ocid1.bucket.oc1.ap-region-1.<unique_ID>","bucketName":"ReadWriteBucket","bytesDownloaded":"0","bytesUploaded":"9","clientIpAddress":"<IP_address>","compartmentId":"ocid1.tenancy.oc1..<unique_ID>","compartmentName":"compartment1","credentials":"***","eTag":"38795327-5c39-4e26-a10f-d73479186a4b","endTime":"2025-04-16T06:07:16.667Z","isPar":false,"message":"Object uploaded.","namespaceName":"bmuez42w2pkg","objectName":"TestTestFile.txt","opcRequestId":"bom-1:Aie9czz-DoJX-YkHD_Ru_0le-9PMWUwblFIjxxGPrV7-YhYSJWYsVpDLua9kvR14","principalId":"***","principalName":"Test User","region":"ap-region-1","requestAction":"PUT","requestResourcePath":"/n/bmuez42w2pkg/b/ReadWriteBucket/o/TestTestFile.txt","startTime":"2025-04-16T06:07:16.641Z","statusCode":200,"tenantId":"ocid1.tenancy.oc1..<unique_ID>","tenantName":"compartment1","userAgent":"Browser2/5.0 (Macintosh; Chip Mac OS X 10_15_7) TestWebKit/605.1.15 (KHTML, like Gecko) Version/18.3.1 Browser/605.1.15"},"id":"4b627ac1-61a2-4d29-960a-d5c89b7f7979","oracle":{"compartmentid":"ocid1.tenancy.oc1..<unique_ID>","ingestedtime":"2025-04-16T06:07:18.182Z","loggroupid":"ocid1.loggroup.oc1.ap-region-1.amaaaaaaxwc355aaaa64eyo43kqs62ag2dqi374e55c7pd4x5fb2ec7p73kq","logid":"ocid1.log.oc1.ap-region-1.amaaaaaaxwc355aapn36bnsisyq22az2kack5m3vyglns3agkvcuty5ewgzq","tenantid":"ocid1.tenancy.oc1..<unique_ID>"},"source":"ReadWriteBucket","specversion":"1.0","subject":"TestTestFile.txt","time":"2025-04-16T06:07:16.667Z","type":"com.oraclecloud.objectstorage.putobject"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | message |
| Source IP | clientIpAddress |
| Username | principalName |
| Time | time |
Sample event message 3
In the following sample event, OCI Key Management indicates that a request to decrypt data by using a specified vault key was successfully processed, confirming authorized key usage and access to encrypted data
{"data":{"clientIpAddress":"<IP_address>","keyVersionId":"ocid1.keyversion.oc1.eu-frankfurt-1.<unique_ID>","opcRequestId":"<unique_ID>","principalId":"ocid1.user.oc1..<unique_ID>","requestAction":"DECRYPT","statusCode":200},"id":"<unique_ID>","oracle":{"compartmentid":"ocid1.tenancy.oc1..<unique_ID>","ingestedtime":"2024-12-18T07:05:42.327Z","loggroupid":"ocid1.loggroup.oc1.eu-frankfurt-1.<unique_ID>","logid":"ocid1.log.oc1.eu-frankfurt-1.<unique_ID>","tenantid":"ocid1.tenancy.oc1..<unique_ID>"},"source":"ocid1.vault.oc1.eu-frankfurt-1.<unique_ID>","specversion":"1.0","subject":"ocid1.key.oc1.eu-frankfurt-1.<unique_ID>","time":"2024-12-18T07:05:42.026Z","type":"com.oraclecloud.keymanagementservice.vault.crypto.decrypt"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | requestAction + statusCode |
| Source IP | clientIpAddress |
| Time | time |
Sample event message 4
In the following sample event, OCI Network Firewall indicates that a test malware file (EICAR) was identified in network traffic, confirming that threat detection mechanisms are actively monitoring and functioning as expected
{"data":{"action":"reset-both","device_name":"<device_name>","direction":"server-to-client","dst":"192.0.1.168","dstloc":"192.0.0.10-192.0.0.11","dstuser":"no-value","firewall-id":"ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>","proto":"tcp","receive_time":"2023/05/16 16:52:29","rule":"<rule_name>","sessionid":"11804","severity":"medium","src":"192.0.2.168","srcloc":"192.0.0.1-192.0.0.2","srcuser":"no-value","subtype":"vulnerability","thr_category":"code-execution","threatid":"Eicar File Detected"},"id":"<unique_ID>","oracle":{"compartmentid":"ocid1.compartment.oc1..<unique_ID>","ingestedtime":"2023-05-16T16:56:27.373Z","loggroupid":"ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>","logid":"ocid1.log.oc1.me-jeddah-1.<unique_ID>","tenantid":"ocid1.tenancy.oc1..<unique_ID>"},"source":"ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>","specversion":"1.0","time":"2023-05-16T16:52:29.000Z","type":"com.oraclecloud.networkfirewall.threat"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | threatid |
| Source IP | thr_category |
| Destination IP | src |
| Username | dst |
| Time | time |
Sample event message 5
In the following sample event, OCI indicates that a connector has finished its execution.
{"data":{"level":"INFO","message":"Run succeeded - Read 2 messages from source and wrote 2 messages to target","messageType":"CONNECTOR_RUN_COMPLETED"},"id":"f83205ef-0bef-47d0-b6b2-362afc4a2e9a","oracle":{"compartmentid":"ocid1.compartment.oc1..<unique_ID>","ingestedtime":"2023-08-02T00:10:28.990Z","loggroupid":"ocid1.loggroup.oc1.phx.<unique_ID>","logid":"ocid1.log.oc1.phx.<unique_ID>","resourceid":"ocid1.serviceconnector.oc1.phx.<unique_ID>","tenantid":"ocid1.tenancy.oc1..<unique_ID>"},"source":"KP_SourceStream1_TargetStream1","specversion":"1.0","time":"2023-08-02T00:10:26.859Z","type":"com.oraclecloud.sch.serviceconnector.runlog"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | messageType + level |
| Time | time |