IBM Cloud® Activity Tracker sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

IBM Cloud Activity Tracker sample messages when you use the Apache Kafka protocol

Sample 1: The following sample event message shows that the occurrence is viewed successfully.

{"_source":{"_host":"security-advisor","_logtype":"json","_file":"file_name","_line":"{\"outcome\":\"success\",\"typeURI\":\"url\",\"eventType\":\"activity\",\"eventTime\":\"2021-07-01T00:36:53.62+0000\",\"action\":\"security-advisor.findings.read\",\"id\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"correlationId\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"initiator\":{\"id\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"name\":\"username\",\"authnId\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"authnName\":\"Author\",\"typeURI\":\"service/security/account/user\",\"host\":{\"agent\":\"Apache-HttpClient/4.5.9 (Java/1.8.0_281)\",\"address\":\"10.41.87.6,10.74.72.121\",\"addressType\":\"IPv4\"},\"credential\":{\"type\":\"user\"}},\"target\":{\"id\":\"id",\"name\":\"findingsapi\",\"typeURI\":\"security-advisor/occurrence\"},\"observer\":{\"name\":\"ActivityTracker\"},\"reason\":{\"reasonCode\":200,\"reasonType\":\"OK\"},\"requestData\":{\"providerId\":\"security-advisor\",\"occurrenceId\":\"1111111a-1a11-1111-111a-11111111a1aa\"},\"responseData\":{\"Context account id\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"email\":{},\"occurrenceId\":\"xforce\",\"Occurrence kind\":\"FINDING\",\"Context region\":\"us-south\",\"Occurrence creation time\":\"2021-07-01T00:34:46.952210Z\",\"data_transferred\":{},\"network\":{\"client\":{},\"server\":{}},\"Occurrence name\":\"1111111a-1a11-1111-111a-11111111a1aa/providers/security-advisor/occurrences/xforce-111111111111-111\",\"Note name\":\"1111111a-1a11-1111-111a-11111111a1aa/providers/security-advisor/notes/xforce-client_response\",\"Occurrence update time\":\"2021-07-01T00:34:46.952003Z\"},\"severity\":\"normal\",\"message\":\"Security Advisor: read findingsapi\",\"dataEvent\":true,\"logSourceCRN\":\"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::\",\"saveServiceCopy\":true}","_rawline":null,"_ts":aa111111aaa111aaa1a111a111111111,"_platform":"security-advisor","_app":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::","_ip":"10.9.14.3","_id":"111111111111111111","outcome":"success","typeURI":"typeURI","eventType":"activity","eventTime":"2021-07-01T00:36:53.62+0000","action":"security-advisor.findings.read","id":"1111111a-1a11-1111-111a-11111111a1aa","correlationId":"1111111a-1a11-1111-111a-11111111a1aa","severity":"normal","message":"Security Advisor: read findingsapi","dataEvent":true,"logSourceCRN":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::","saveServiceCopy":true,"o_initiator":{"id":"authnId","name":"name","authnId":"iam-identifier","authnName":"testuser","typeURI":"service/security/account/user","o_host":{"agent":"Apache-HttpClient/4.5.9 (Java/1.8.0_281)","address":"10.41.87.6,10.74.72.121","addressType":"IPv4"},"o_credential":{"type":"user"}},"o_target":{"id":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111::111111111111-111","name":"findingsapi","typeURI":"security-advisor/occurrence"},"o_observer":{"name":"ActivityTracker"},"o_reason":{"reasonCode":200,"reasonType":"OK"},"o_requestData":{"providerId":"security-advisor","occurrenceId":"xforce-111111111111-111"},"o_responseData":{"Context account id":"aa111111aaa111aaa1a111a111111111","occurrenceId":"xforce","Occurrence kind":"FINDING","Context region":"us-south","Occurrence creation time":"2021-07-01T00:34:46.952210Z","Occurrence name":"aa111111aaa111aaa1a111a111111111/providers/security-advisor/occurrences/xforce-1625099685333-735","Note name":"aa111111aaa111aaa1a111a111111111/providers/security-advisor/notes/xforce-client_response","Occurrence update time":"2021-07-01T00:34:46.952003Z","o_email":{},"o_data_transferred":{},"o_network":{"client":"{}","server":"{}"}}}}
Table 1. Highlighted fields in the IBM Cloud Activity Tracker event
QRadar field name Highlighted payload field name
Event Time eventTime
Event ID outcome + action
Event Category In QRadar, the value is IBMActivityTrackerSecurityAdvisorService.
Source IP address
Username name

Sample 2: The following sample event message shows that an occurrence is created successfully.

{"_source":{"_host":"security-advisor","_logtype":"json","_file":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::","_line":"{\"outcome\":\"success\",\"typeURI\":\"http://schemas.dmtf.org/cloud/audit/1.0/event\",\"eventType\":\"activity\",\"eventTime\":\"2021-07-01T00:29:37.07+0000\",\"action\":\"security-advisor.findings.write\",\"id\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"correlationId\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"initiator\":{\"id\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"name\":\"IBM (security-advisor)\",\"authnId\":\"1111111a-1a11-1111-111a-11111111a1aa\",\"authnName\":\"SA internal Service\",\"typeURI\":\"service/security/account/serviceid\",\"host\":{\"address\":\"10.126.255.165,10.187.197.4\",\"addressType\":\"IPv4\"},\"credential\":{\"type\":\"apikey\"}},\"target\":{\"id\":\"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111::occurrence:xforce-111111111111-111\",\"name\":\"findingsapi\",\"typeURI\":\"security-advisor/occurrence\"},\"observer\":{\"name\":\"ActivityTracker\"},\"reason\":{\"reasonCode\":200,\"reasonType\":\"OK\"},\"requestData\":{\"Replace existing occurrence\":true,\"providerId\":\"security-advisor\",\"context\":{\"Context region\":\"us-south\"},\"finding\":{\"network\":{\"client\":{},\"server\":{}},\"data_transferred\":{}},\"Occurrence kind\":\"FINDING\",\"occurrenceId\":\"xforce-111111111111-111\",\"Note name\":\"aa111111aaa111aaa1a111a111111111/providers/security-advisor/notes/xforce-client_response\"},\"responseData\":{\"email\":{},\"data_transferred\":{},\"network\":{\"client\":{},\"server\":{}},\"Occurrence name\":\"aa111111aaa111aaa1a111a111111111/providers/security-advisor/occurrences/xforce-111111111111-111\"},\"severity\":\"normal\",\"message\":\"Security Advisor: write findingsapi\",\"dataEvent\":true,\"logSourceCRN\":\"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::\",\"saveServiceCopy\":true}","_rawline":null,"_ts":aa111111aaa111aaa1a111a111111111,"_platform":"security-advisor","_app":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::","_ip":"10.9.14.3","_id":"aa111111aaa111aaa1a111a111111111","outcome":"success","typeURI":"http://schemas.dmtf.org/cloud/audit/1.0/event","eventType":"activity","eventTime":"2021-07-01T00:29:37.07+0000","action":"security-advisor.findings.write","id":"1111111a-1a11-1111-111a-11111111a1aa","correlationId":"d600ce3f-3cd8-4a34-867a-fd8f3630b39c","severity":"normal","message":"Security Advisor: write findingsapi","dataEvent":true,"logSourceCRN":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111:::","saveServiceCopy":true,"o_initiator":{"id":"1111111a-1a11-1111-111a-11111111a1aa","name":"IBM (security-advisor)","authnId":"iam-1111111a-1a11-1111-111a-11111111a1aa","authnName":"SA internal Service","typeURI":"service/security/account/serviceid","o_host":{"address":"10.126.255.165,10.187.197.4","addressType":"IPv4"},"o_credential":{"type":"apikey"}},"o_target":{"id":"crn:v1:bluemix:public:security-advisor:us-south:a/aa111111aaa111aaa1a111a111111111::occurrence:xforce-111111111111-111","name":"findingsapi","typeURI":"security-advisor/occurrence"},"o_observer":{"name":"ActivityTracker"},"o_reason":{"reasonCode":200,"reasonType":"OK"},"o_requestData":{"Replace existing occurrence":true,"providerId":"security-advisor","Occurrence kind":"FINDING","occurrenceId":"xforce-111111111111-111","Note name":"aa111111aaa111aaa1a111a111111111/providers/security-advisor/notes/xforce-client_response","o_context":{"Context region":"us-south"},"o_finding":{"network":"{\n  \"client\": {},\n  \"server\": {}\n}","data_transferred":"{}"}},"o_responseData":{"Occurrence name":"aa111111aaa111aaa1a111a111111111/providers/security-advisor/occurrences/xforce-111111111111-111","o_email":{},"o_data_transferred":{},"o_network":{"client":"{}","server":"{}"}}}}
Table 2. Highlighted fields in the IBM Cloud Activity Tracker event
QRadar field name Highlighted payload field name
Event Time eventTime
Event ID outcome + action
Event Category In QRadar, the value is IBMActivityTrackerSecurityAdvisorService.
Source IP address
Username name

Sample 3: The following sample event message shows that an occurrence is viewed successfully.

{"timestamp":1680032637,"line":"{\"eventTime\":\"2023-03-28T19:43:57.01+0000\",\"correlationId\":\"11111111-1111-1111-1111-111111111111\",\"action\":\"atracker.route.read\",\"severity\":\"normal\",\"initiator\":{\"id\":\"testid-000000AAA0\",\"name\":\"user1@example.com\",\"authnId\":\"testid-000000AAA0\",\"authnName\":\"user1\",\"typeURI\":\"service/security/account/user\",\"credential\":{\"type\":\"user\"},\"host\":{\"address\":\"10.0.0.1\",\"addressType\":\"CSE\",\"agent\":\"platform-services-go-sdk/0.31.2 (lang=go; arch=arm64; os=darwin; go.version=go1.19.5)\"}},\"target\":{\"name\":\"qradar-es-route\",\"id\":\"crn:v1:bluemix:public:atracker:global:a/11aa1111a111111a1111a1a11111a1111a111aaa::route:a111aaa1-aa1a-1111-aa1a-1a111a11aa11\",\"typeURI\":\"atracker/route\"},\"outcome\":\"success\",\"reason\":{\"reasonCode\":200,\"reasonType\":\"OK\"},\"observer\":{\"name\":\"ActivityTracker\"},\"requestData\":{\"requestURI\":\"https://us-south.atracker.cloud.ibm.com/api/v2/routes/a111aaa1-aa1a-1111-aa1a-1a111a11aa11\"},\"responseData\":{\"response\":\"success\",\"route\":{\"id\":\"a111aaa1-aa1a-1111-aa1a-1a111a11aa11\",\"name\":\"qradar-es-route\",\"crn\":\"crn:v1:bluemix:public:atracker:global:a/11aa1111a111111a1111a1a11111a1111a111aaa::route:a111aaa1-aa1a-1111-aa1a-1a111a11aa11\",\"version\":0,\"rules\":[{\"locations\":[\"us-south\",\"us-east\",\"global\"],\"target_ids\":[\"a111aaa1-aa1a-1111-aa1a-1a111a11aa11\"]}],\"api_version\":2,\"created_at\":\"2023-03-28T18:56:14.269Z\",\"updated_at\":\"2023-03-28T18:56:14.269Z\"}},\"logSourceCRN\":\"crn:v1:bluemix:public:atracker:us-south:a/11aa1111a111111a1111a1a11111a1111a111aaa:::\",\"saveServiceCopy\":true,\"dataEvent\":false,\"message\":\"Activity Tracker Event Routing: read route\"}","file":"/var/log/at/atracker/api/api-111a11a1a1-1aaaa.log"}
Table 3. Highlighted fields in the IBM Cloud Activity Tracker event
QRadar field name Highlighted payload field name
Event Time eventTime
Event ID outcome + action
Event Category In QRadar, the value is IBMActivityTracker.
Source IP address
Username name

Sample 4:

The following is a sample event of a Privileged Access Gateway Activity Tracker (PAT).

{"action": "privileged-access-gateway.certificate.create", "dataEvent": false, "eventTime": "2023-09-27T14:02:04.63-0500", "initiator": { "id": "IBMid-1111111Y","name": "First Name1 Last Name2","typeURI": "service/security/account/user", "credential": {"type": "token"},"host": {"agent": "CLI","address":"10.0.0.1","addressType": "IPv4"}}, "logSourceCRN": "crn:v1:staging:public:privileged-access-gateway:global:a/222222:1111111111-1234-1234-1234-1111111::", "message": "privileged-access-gateway.certificate.create IAM auth failed", "observer": {"name": "ActivityTracker"}, "outcome": "failure", "reason": {"reasonCode": "401", "reasonType": "Failed"}, "resourceGroupId": "11111bbbbcc", "saveServiceCopy": false, "severity": "normal","target": {"id": "crn:v1:bluemix:public:is:us-south-1:a/1111111111::instance:0717_11111111-aaaa-cccc-1111-11111111","name": "pag-us-south-test-vsi","typeURI": "privileged-access-gateway/ssh/session","resourceGroupId": "11111bbbbcc"}}
Table 4. Highlighted fields in the IBM Cloud Activity Tracker event
QRadar field name Highlighted payload field name
Event Time eventTime
Event ID action + outcome
Event Category In QRadar, the value is IBMActivityTracker.
Source IP address
Username name