IBM Security QRadar Suite Alerts sample event message

Use this sample event message to verify a successful integration with the QRadar® product.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

IBM Security QRadar Suite Alerts sample message when you use the Syslog protocol

The evidence field contains the set of observables that are already split into relationships or subgraphs if necessary. The observables are extracted from the triggering events or alerts as defined by the rule definition. This data is used for enrichment, deduplication, and correlation.

{
  "IBMSecurityQRadarSuiteAlert": {
    "name": "Alert Name",
    "description": "Alert Description",
    "mitre_ids": [],
    "severity": 10,
    "credibility": 10,
    "created_by_type": "SEARCH_BASED_RULE",
    "created_by_id": 12345,
    "created_by_version": 5,
    "bypass_realtime_engine": true,
    "original_time": 1234567890123,
    "search_cursor_id": "550e8400-e29b-41d4-a716-446655440000",
    "start_time": 1698780906000,
    "end_time": 1698784506000,
    "investigation_query": "<KQL query>",
    "record_count": 1,
    "evidence": {
      "relationships": [
        {
          "observables": [
            {
              "type": "directory",
              "properties": [
                {
                  "name": "directory___path",
                  "value": "/root/files"
                }
              ]
            },
            {
              "type": "domain_name",
              "properties": [
                {
                  "name": "domain_name___value",
                  "value": "domain.test"
                }
              ]
            }
          ]
        },
        {
          "observables": [
            {
              "type": "email_addr",
              "properties": [
                {
                  "name": "email_addr___value",
                  "value": "sample.user@domain.com"
                },
                {
                  "name": "email_addr___display_name",
                  "value": "Sample User"
                }
              ]
            },
            {
              "type": "email_message",
              "properties": [
                {
                  "name": "email_message___id",
                  "value": "3"
                },
                {
                  "name": "email_message___subject",
                  "value": "Test Email Message Subject"
                },
                {
                  "name": "email_message___to_ref",
                  "value": "13"
                }
              ]
            }
          ]
        }
      ],
      "additional_properties": [
        {
          "name": "prop1",
          "value": "value1"
        },
        {
          "name": "prop2",
          "value": "value2"
        }
      ]
    }
  }
}
Table 1. Highlighted fields in the sample event for IBM Security QRadar Suite Alerts
QRadar product field name Highlighted payload field name
Event ID

created_by_type

created_by_id
Event Category IBMSecurityQRadarSuiteAlert
Severity severity
Date Timestamp original_time