Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Google Cloud Platform Firewall sample message when you use the Google Cloud Pub/Sub protocol
The following sample event message shows that traffic is allowed by Google Cloud Platform Firewall.
{"insertId":"a11aaaa1aa1aa1","jsonPayload":{"remote_location":{"country":"country","continent":
"continent"},"instance":{"project_id":"qradar-gcp-blog-demo","region":"country","zone":"countryc","
vm_name": "instance-1"}," disposition ":"ALLOWED","vpc":{"subnetwork_name":"qradar-a11aaaa1aa1aa1-1",
"project_id":"qradar-gcp-blog-demo","vpc_name":"qradar-a11aaaa1aa1aa1-1"},"rule_details":
{"reference": "network:qradar-a11aaaa1aa1aa1-1/firewall:allowssh","
priority":65534,"direction":"INGRESS","ip_port_info": [{"port_range":["22"],"ip_protocol":"TCP"}],"source_range":["0.0.0.0/0"],"action":"ALLOW"},
" connection ":{"protocol":6," dest_port ":22, " dest_ip ":"10.128.0.2","
src_port ":61572, " src_ip ":"10.52.43.69"}},"resource":{"type":"gce_subnetwork","labels":{"project_id":
"qradar-gcp-blog-demo","subnetwork_id":"8495198078164383457","subnetwork_name":"qradara11aaaa1aa1aa1-
1", "location":"country-c"}}," timestamp ":"2020-08-19T22:01:42.473623155Z","logName":
"projects/qradar-gcp-blog-demo/logs/compute.googleapis.com %2Ffirewall","receiveTimestamp":"2020-08-19T22:
01:50.856989345Z"}
JSA field name |
Highlighted payload field name |
|---|---|
Event ID |
disposition |
Logsource Time |
timestamp |
Source IP |
connection + src_ip |
Source Port |
connection + src_port |
Destination IP |
connection + dest_ip |
Destination Port |
connection + dest_port |