MongoDB sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Events

Sample 1: The following sample event message shows a Audit Events collected from MongoDB application.

{ "atype" : "authenticate", "ts" : { "$date" : "2026-03-03T02:14:09.451-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 46948 }, "users" : [ { "user" : "testuser2", "db" : "myDatabaseTest" } ], "roles" : [], "param" : { "user" : "testuser2", "db" : "myDatabaseTest", "mechanism" : "SCRAM-SHA-256" }, "result" : 0 }
Table 1. Highlighted values in the MongoDB authenticate sample event
QRadar field name Highlighted payload field name
Event ID authenticate_Success
Event Category MongoDB Audit Event
Destination IP InstanceIPAddress
Destination Port DestinationPort
Source IP ClientIPAddress
Source Port SourcePort
USERNAME UserName
Device Time EventTimeStamp

Sample 2: The following sample event message shows a createIndex collected from MongoDB application.

{ "atype" : "createIndex", "ts" : { "$date" : "2026-02-19T02:25:10.985-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 34294 }, "users" : [], "roles" : [], "param" : { "ns" : "myDatabaseTest.testCollection", "indexName" : "_id_", "indexSpec" : { "v" : 2, "key" : { "_id" : 1 }, "name" : "_id_" }, "indexBuildState" : "IndexBuildStarted" }, "result" : 0 }
Table 2. Highlighted values in the MongoDB createIndex sample event
QRadar field name Highlighted payload field name
Event ID createIndex_IndexBuildStarted_Success
Event Category MongoDB Audit Event
Destination IP InstanceIPAddress
Destination Port DestinationPort
Source IP ClientIPAddress
Source Port SourcePort
USERNAME UserName
Device Time EventTimeStamp

Sample 3: The following sample event message shows a authcheck collected from MongoDB application.

{ "atype" : "authCheck", "ts" : { "$date" : "2026-03-04T10:04:38.598-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 45916 }, "users" : [], "roles" : [], "param" : { "command" : "endSessions", "ns" : "admin", "args" : { "endSessions" : [ { "id" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" } }, { "id" : { "$binary" : "22222222222AAAAAAAAAAA==", "$type" : "04" } }, { "id" : { "$binary" : "22222222222BBBBBBBBBBB==", "$type" : "04" } } ], "writeConcern" : { "w" : 0 }, "$db" : "admin" } }, "result" : 0 }
Table 3. Highlighted values in the MongoDB authcheck sample event
QRadar field name Highlighted payload field name
Event ID authCheck_Success
Event Category MongoDB Audit Event
Destination IP InstanceIPAddress
Destination Port DestinationPort
Source IP ClientIPAddress
Source Port SourcePort
USERNAME UserName
Device Time EventTimeStamp

Sample 4: The following sample event message shows a dropCollection collected from MongoDB application.

{ "atype" : "dropCollection", "ts" : { "$date" : "2026-03-03T01:45:33.824-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 43256 }, "users" : [], "roles" : [], "param" : { "ns" : "test.collection", "viewOn" : "", "pipeline" : [] }, "result" : 26 }
Table 4. Highlighted values in the MongoDB dropCollection sample event
QRadar field name Highlighted payload field name
Event ID dropCollection_NamespaceNotFound
Event Category MongoDB Audit Event
Destination IP InstanceIPAddress
Destination Port DestinationPort
Source IP ClientIPAddress
Source Port SourcePort
USERNAME UserName
Device Time EventTimeStamp