ForeScout CounterACT sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
ForeScout CounterACT sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows that an authentication certificate issuer is detected.
LEEF:1.0|ForeScout|CounterACT|8.0.1-99|agent_auth_issuer|cat=Property sev=1 src=10.84.144.14 usrName=testUser srcMAC=00:00:5E:00:53:00 domain=testDomain identHostName=testHostName Folder_Name=Authentication Property_Name=Authentication Certificate Issuer devTime=Mar 7 2019 07:50:32.000 EST devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z Property_Value=\DC=BLAH\DC=testDomain\CN=testDomain2-CA | QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | agent_auth_issuer |
| Category | Property |
| Source IP | 10.84.144.14 |
| Username | testUser |
| Device Time | Mar 7 2019 07:50:32.000 EST |
Sample 2: The following sample event message shows when the last credentials succeeded on this host.
LEEF:1.0|ForeScout|CounterACT|8.0.1-99|cached_credentials|cat=Property sev=1 src=192.168.74.25 usrName=qradar1 srcMAC=00:00:5E:00:53:C8 domain=testDomain identHostName=D-q1labs1 Folder_Name= Property_Name=Last credentials to succeed on this host devTime=Mar 26 2019 15:56:14.000 PDT devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z Property_Value=admin1@example.test2001:db8:4D1C:A2FA:3EC9:C66D:8522:B7A4
| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | cached_credentials |
| Category | Property |
| Source IP | 192.168.74.25 |
| Username | qradar1 |
| Device Time | Mar 26 2019 15:56:14.000 PDT |