IBM Defender Data Protect sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Sample 1: The following sample event message shows API Audit events that are collected from IBM® Defender Data Protect
<14>2024-11-18T00:35:53.543843+00:00 ibm.defenderdataprotect.test api_audit[32031]: {"username":"test@example.com","domain":"Example","method":"PUT","urlPath":"/v2/data-protect/protection-groups/3802051382822844:11111:111/runs","requestTimestamp":1731890153542,"requestHeader":{"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.5"],"Connection":["close"],"Content-Type":["application/json"],"Dnt":["1"],"Exampletoken":["xxxxx/xxxx="],"Origin":["https://usea-prod.storage-defender.example.com"],"Requestinitiatortype":["UIUser"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sfdctoken":["xxxxx/xxxxxxx="],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Amzn-Trace-Id":["Root=1-673a8be9-xxxxxxxxx"],"X-Cohesity-Service-Context":["Mcm"],"X-Envoy-Attempt-Count":["1"],"X-Envoy-Decorator-Operation":["iris.ibm-defender-prod.svc.cluster.local:80/*"],"X-Envoy-Expected-Rq-Timeout-Ms":["3600000"],"X-Envoy-External-Address":["10.0.0.0"],"X-Envoy-Peer-Metadata":["xxxxx="],"X-Envoy-Peer-Metadata-Id":["router~x.0.x.195~istio-ingressgateway-xx-tq7rt.istio-system~istio-system.svc.cluster.local"],"X-Forwarded-For":["","x.x.x.x,1.1.11.111, ::1"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"],"X-Impersonate-Tenant-Id":[""],"X-Request-Id":["xxxx-15fa-xxxx-xx-11111"],"X-Session-Locale":["en-us"]},"clientAddress":"127.0.0.1:80","sessionId":"xxxxxx="}
<14>2024-11-18T00:35:53.849714+00:00 ibm.defenderdataprotect.test api_audit[32031]: {"username":"test@example.com","domain":"Example","method":"PUT","urlPath":"/v2/data-protect/protection-groups/11111:2222:1111/runs","requestTimestamp":1731890153542,"statusCode":207,"responseHeader":{"Content-Encoding":["gzip"],"Content-Security-Policy":["default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https: data:; font-src data: https:; worker-src blob:"],"Content-Type":["application/json"],"Permissions-Policy":["geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Ratelimit-Limit":["600"],"X-Ratelimit-Remaining":["586"],"X-Ratelimit-Reset":["1731890162"],"X-Xss-Protection":["1; mode=block"]},"responseTime":305827792} | QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | If the payload has a statusCode field, the method + the statusCode field value is the event ID. Otherwise, the method field value is the event ID. |
| Event Category | api_audit from the payload header |
| Source IP | clientAddress |
| Source Port | The value that is used for the Source Port displays after the colon in the clientAddress value. For example, 80 |
| Username | Username |
| Device Time | If the payload has a responseTime field, the responseTime + requestTimestamp is the device time. Otherwise, the requestTimestamp is the device time. |
Sample 2: The following sample event message shows Data Protection Events that are collected from IBM Defender Data Protect.
<14>2024-11-25T11:25:41+00:00 ibm.defenderdataprotect.test dataprotection_events: {"EventMessage" : "Finishing restore task", "Timestamp" : "2024-11-25T11:25:41.321Z", "ClusterInfo" : {"ClusterId" : "3802051382822844", "ClusterName" : "test-pok-dp-3"}, "EventType" : "kRestore", "EnvironmentType" : "kPhysicalFiles", "RegisteredSource" : {"EntityType" : "kPhysical", "EntityId" : "23247", "EntityName" : "Physical Servers"}, "RestoreTarget" : {"EntityType" : "kPhysical", "EntityId" : "23279", "EntityName" : "10.11.0.1"}, "BackupJobName" : "AD-File-Cloud", "BackupJobId" : "11622", "Entities" : [{"EntityType" : "kPhysical", "EntityId" : "23248", "EntityName" : "10.10.1.1"}], "Error" : {"ErrorCode" : "kYodaError", "ErrorMessage" : "Error while calling FileStat for /B/: [kNotFound]: Bridge error: Directory not present: /DefaultStorageDomain/magneto_1259898576551640_1728507997137_11622_12308/fs//B/"}, "TaskId" : "547103", "AttributeMap" : {"RestoreType" : "kRestoreFiles"}}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | If the payload has an Error field, the EventMessage field value + _error is the event ID. Otherwise, the EventMessage field value is the event ID. |
| Event Category | dataprotection_events from payload header |
| Source IP | EntityName |
| Event Time | Timestamp |
Sample 3: The following sample event message shows Cluster Audit Events that are collected from IBM Defender Data Protect.
<14>2024-12-03T00:00:28-05:00 ibm.defenderdataprotect.test cluster_audit: {"Timestamp" : "2024-12-02T19:00:00.862-05:00", "AttributeMap" : {}, "EntityType" : "Access Token", "EntityId" : "user1", "EntityName" : "user1", "User" : "user1", "Domain" : "local", "Action" : "Create", "Description" : "user1@local has generated new access token for user user1 on domain LOCAL from 10.0.0.1.", "IP" : "10.0.0.1", "ClusterInfo" : "ClusterName: test-aaa-dp-3, ClusterId: xxxxxx", "ServiceContext" : 4} | QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | Action + EntityType |
| Event Category | cluster_audit from the payload header |
| Source IP | IP |
| Username | User |
| Device Name | Timestamp |