Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sample Event Message

 

Use these sample event messages to verify a successful integration with JSA.

Note

Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Amazon AWS CloudTrail sample message when you use the Amazon REST API protocol

The following sample event message shows the specified managed policy that is attached to a specified user.

{"eventVersion":"1.05","userIdentity":{"type":"Root","principalId":"555555555555","arn":"arn:aws: iam::555555555555:root","accountId":"555555555555","accessKeyId":"AAAAAA1AAAAA1A1AAA11","session Context":{"attributes": {"mfaAuthenticated":"false","creationDate":"2019-06-11T16:43:07Z"}},"invokedBy": "signin.qradar.example.test"},"eventTime":"2019-06-11T16:54:03Z","eventSource":"iam.qradar.ex ample.test","eventName":"AttachUserPolicy","awsRegion":"useast- 1","sourceIPAddress":"172.16.89.242", "userAgent":"signin.qradar.example.test","requestParameters":{"userName":"sampleuser","policyArn" :"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"},"responseElements":null,"request ID":"849df62f-8c69-11e9-bb3c-abc750f0b415","eventID":"bdcc7610-7f82-4cde-9f6e-1c3cb1927353","event Type":"AwsApiCall","recipientAccountId":"555555555555"}

Amazon AWS CloudTrail sample message when you use the Amazon Web Services protocol

The following sample event message describes trails.

{LogStreamName: 111111111111_CloudTrail_us-east-2,Timestamp: 1505744407363,Message: {"eventVersion" :"1.05","userIdentity": {"type":"IAMUser","principalId":"AAAAAAAAAAAAAAAAAAAAA","arn":"arn:aws:iam::111111111111 :user/Test-User","accountId":"111111111111","accessKeyId":"AAAAA1A1AA1AA1111AAA","userName": "Test-User","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2017- 09-18T13:22:10Z"}},"invokedBy":"sub.domain.test"},"eventTime":"2017-09-18T14:10:15Z","event Source":"sub2.domain.test","eventName":"DescribeTrails","awsRegion":"us-east-1","sourceIPAd dress":"192.168.10.187","userAgent":"sub.domain.test","requestParameters":{"includeShadow Trails":false,"trailNameList":[]},"responseElements":null,"requestID":"17b7a04c-9c7b-11e7 -9d83-43d5bce2d2fc","eventID":"a4914e00-65e5-491d-b1c6-a0dd3845b302","eventType":"AwsApiCall" ,"recipientAccountId":"111111111111"},IngestionTime: 1505744407506,EventId: 335792223627147 60922479126672120053866513932467844153344}{LogStreamName: 111111111111_CloudTrail_us-east-2,Timestamp: 1505744407363,Message: {"eventVersion" :"1.05","userIdentity": {"type":"IAMUser","principalId":"AAAAAAAAAAAAAAAAAAAAA","arn":"arn:aws:iam::111111111111 :user/Test-User","accountId":"111111111111","accessKeyId":"AAAAA1A1AA1AA1111AAA","userName": "Test-User","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2017- 09-18T13:22:10Z"}},"invokedBy":"sub.domain.test"},"eventTime":"2017-09-18T14:10:15Z","event Source":"sub2.domain.test","eventName":"DescribeTrails","awsRegion":"us-east-1","sourceIPAd dress":"192.168.10.187","userAgent":"sub.domain.test","requestParameters":{"includeShadow Trails":false,"trailNameList":[]},"responseElements":null,"requestID":"17b7a04c-9c7b-11e7 -9d83-43d5bce2d2fc","eventID":"a4914e00-65e5-491d-b1c6-a0dd3845b302","eventType":"AwsApiCall" ,"recipientAccountId":"111111111111"},IngestionTime: 1505744407506,EventId: 33579222362714760922479126672120053866513932467844153344}