device","recommendation_reason_id":58,"risk_score":950,"resolution_id":"qnuwkfqcdajojinseudfxbhf
tlimptpu","policy_manager_recommendation":null,"policy_manager_reason":null,"policy_manager_reas
on_id":null,"policy_manager_risk_score":null,"persistent_device_id":"N/
A","new_device_indication_zero_one":0,"country":null,"region":null,"city":null,"isp":null,"organ
ization":null,"useragent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) HeadlessChrome/72.0.3626.121 Safari/
537.36","referrer":"","x_forwarded_for":"10.0.0.2","screen_resolution":null,"screen_dpi":24,"scr
een_touch":0,"client_time_zone":0,"rapport_machine_id":"","client_language":"en-
US","platform":"Linux x86_64","cpu":"Linux x86_64","os":"Linux","accept_encoding":"gzip,
deflate","mimes":0,"navigator_props":4231119849,"browser_version":"72.0.3626","client_charset":"
UTF-8","browser":"Chrome","accept_charset":"","accept_language":"","network_data":"10.0.0.2","pl
ugins":0,"malware_logical_name":"","infection_severity":"high","malware_signature":null,"formatt
ed_is_targeted":"Maybe","encrypted_user_id":"","encryption_key_id":"trusteerqa.1.20110112-102448
","app_id":"multi_login_tma","customer_session_id":"2s3as2jek91t98mb3mggkrt881","persistent_user
_id":"aaaabbbbcccc0006"}
{"feed_name":"account_takeover","version":"9","datetime":"2020-06-10
07:32:29","event_id":"e783d0dc7ae","last_user_ip":"10.0.0.2","last_user_ipv6":null,"app_name"
:"trusteerqa_business","detected_at":"http://
host.domain2.test","activity":"policy58","translated_recommendation"
:null,"recommendation_reason_text":"Suspicious multiple accesses pattern from the same device"
,"recommendation_reason_id":58,"risk_score":950,"resolution_id":"qnuwkfqcdajojinseudfxbhftlimp
tpu","policy_manager_recommendation":null,"policy_manager_reason":null,"policy_manager_reason_id"
:null,"policy_mana
ger_risk_score":null,"persistent_device_id":"N/
A","new_device_indication_zero_one":0,"country":null,"region":null,
"city":null,"isp":null,"organization":null,"useragent":"Mozilla/5.0 (X11;
Linux x86_64) AppleWebKit/537.36 (KHTML
, like Gecko) HeadlessChrome/
72.0.3626.121 Safari/537.36","referrer":"","x_forwarded_for":"10.0.0.2","screen_reso
lution":null,"screen_dpi":24,"screen_touch":0,"client_time_zone":0,"rapport_machine_id":"",
"client_language":"en-
US","platform":"Linux x86_64","cpu":"Linux x86_64","os":"Linux","accept_encoding":"gzip,
deflate","mimes":0,"navi
gator_props":4231119849,"browser_version":"72.0.3626","client_charset":"UTF-8","browser":"Chrome"
,"accept_charset
":"","accept_language":"","network_data":"10.0.0.2","plugins":0,"malware_logical_name":"",
"infection_severity":"high","malware_signature":null,"formatted_is_targeted":"Maybe","encr
ypted_user_id":"","encryption_key_id":"trusteerqa.1.20110112-102448","app_id":"multi_login_tma",
"customer_session_id":"2s3as2jek91t98mb3mggkrt881","persistent_user_id":"aaaabbbbcccc0006"}
Table 642. Highlighted
elds
QRadar field name Highlighted payload field name
Event ID recommendation_reason_id
Event Name recommendation_reason_text
Source IP last_user_ip
Device Time datetime
Sample 2 (with IPv6):
The following sample event message shows that unusual activity from a suspicious device that uses
the Tor browser was detected. It also shows that the event was generated from the user IP address
10.10.0.2.
{"feed_name":"account_takeover","version":"9","datetime":"2018-08-07
12:11:31","event_id":"ecdc7245542","last_user_ip":null,"last_user_ipv6":"2001:DB8:AAAA:BBBB:CCCC
:DDDD:EEEE:FFFF","app_name":"tma2","detected_at":"https://
host.domain.test","activity":"login","translated_recommendation":"Alert","recommendation_reason_
text":"Unusual activity from a suspicious device using the Tor
browser","recommendation_reason_id":71,"risk_score":114,"resolution_id":"zguiblxuursugnjtulwawxh
cmwixsfbs","policy_manager_recommendation":null,"policy_manager_reason":null,"policy_manager_rea
son_id":null,"policy_manager_risk_score":null,"persistent_device_id":"N/
A","new_device_indication_zero_one":0,"country":"US","region":"99","city":null,"isp":"This is
some ISP text","organization":"Test Organization","useragent":"Mozilla/5.0 (Windows NT 6.1;
Trident/7.0; rv:11.0) like Gecko","referrer":"/test/test/
TAF","x_forwarded_for":"10.10.0.2","screen_resolution":null,"screen_dpi":8,"screen_touch":5,"cli
ent_time_zone":0,"rapport_machine_id":"-","client_language":"tr-TR","platform":"Linux
x86_64","cpu":"Linux x86_64","os":"Windows 7","accept_encoding":"gzip, deflate,
br","mimes":0,"navigator_props":4168486725,"browser_version":"11.0","client_charset":"UTF-8","br
owser":"IE","accept_charset":"","accept_language":"tr-TR,tr;q=0.8,en-
US;q=0.5,en;q=0.3","network_data":"10.10.0.2","plugins":3,"malware_logical_name":"","infection_s
everity":"high","malware_signature":null,"formatted_is_targeted":"Maybe","encrypted_user_id":"14
1018
IBM QRadar : QRadar DSM Configuration Guide