MongoDB sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Events
Sample 1: The following sample event message shows a Audit Events collected from MongoDB application.
{ "atype" : "authenticate", "ts" : { "$date" : "2026-03-03T02:14:09.451-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 46948 }, "users" : [ { "user" : "testuser2", "db" : "myDatabaseTest" } ], "roles" : [], "param" : { "user" : "testuser2", "db" : "myDatabaseTest", "mechanism" : "SCRAM-SHA-256" }, "result" : 0 }
| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | authenticate_Success |
| Event Category | MongoDB Audit Event |
| Destination IP | InstanceIPAddress |
| Destination Port | DestinationPort |
| Source IP | ClientIPAddress |
| Source Port | SourcePort |
| USERNAME | UserName |
| Device Time | EventTimeStamp |
Sample 2: The following sample event message shows a createIndex collected from MongoDB application.
{ "atype" : "createIndex", "ts" : { "$date" : "2026-02-19T02:25:10.985-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 34294 }, "users" : [], "roles" : [], "param" : { "ns" : "myDatabaseTest.testCollection", "indexName" : "_id_", "indexSpec" : { "v" : 2, "key" : { "_id" : 1 }, "name" : "_id_" }, "indexBuildState" : "IndexBuildStarted" }, "result" : 0 }
| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | createIndex_IndexBuildStarted_Success |
| Event Category | MongoDB Audit Event |
| Destination IP | InstanceIPAddress |
| Destination Port | DestinationPort |
| Source IP | ClientIPAddress |
| Source Port | SourcePort |
| USERNAME | UserName |
| Device Time | EventTimeStamp |
Sample 3: The following sample event message shows a authcheck collected from MongoDB application.
{ "atype" : "authCheck", "ts" : { "$date" : "2026-03-04T10:04:38.598-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 45916 }, "users" : [], "roles" : [], "param" : { "command" : "endSessions", "ns" : "admin", "args" : { "endSessions" : [ { "id" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" } }, { "id" : { "$binary" : "22222222222AAAAAAAAAAA==", "$type" : "04" } }, { "id" : { "$binary" : "22222222222BBBBBBBBBBB==", "$type" : "04" } } ], "writeConcern" : { "w" : 0 }, "$db" : "admin" } }, "result" : 0 }
| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | authCheck_Success |
| Event Category | MongoDB Audit Event |
| Destination IP | InstanceIPAddress |
| Destination Port | DestinationPort |
| Source IP | ClientIPAddress |
| Source Port | SourcePort |
| USERNAME | UserName |
| Device Time | EventTimeStamp |
Sample 4: The following sample event message shows a dropCollection collected from MongoDB application.
{ "atype" : "dropCollection", "ts" : { "$date" : "2026-03-03T01:45:33.824-08:00" }, "uuid" : { "$binary" : "11111111111AAAAAAAAAAA==", "$type" : "04" }, "local" : { "ip" : "10.0.0.1", "port" : 27017 }, "remote" : { "ip" : "10.0.0.2", "port" : 43256 }, "users" : [], "roles" : [], "param" : { "ns" : "test.collection", "viewOn" : "", "pipeline" : [] }, "result" : 26 }
| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | dropCollection_NamespaceNotFound |
| Event Category | MongoDB Audit Event |
| Destination IP | InstanceIPAddress |
| Destination Port | DestinationPort |
| Source IP | ClientIPAddress |
| Source Port | SourcePort |
| USERNAME | UserName |
| Device Time | EventTimeStamp |