Check Point Multi-Domain Management (Provider-1) sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Check Point Multi-Domain Management (Provider-1) sample messages when you use the LEEF protocol
Sample 1: The following sample event message shows an informational event that was generated by the clock daemon.
LEEF:2.0|Check Point|Syslog|1.0|Check Point Log|cat=Syslog devTime=1537528801 ifdir=inbound loguid={0x0,0x0,0x0,0x0} origin=172.16.150.106 sequencenum=1 version=5 default_device_message=<78>crond[30156]: (root) CMD (/usr/lib/sa/sa1 1 1) facility=clock daemon syslog_severity=Informational
Sample 2: The following sample event message shows an application control event that contains specific details about the application; such as the category, name, description, ID, and properties of the application. This sample also contains rules that determine who can access the application and the matched category that is matched by the rule base.
LEEF:2.0|Check Point|Application Control|1.0|Allow|cat=Application Control devTime=1393855342 srcPort=35275 sev=8 ifdir=outbound ifname=eth1-05 loguid={0x54f411c8,0x9,0xbd0317ac,0x187a} origin=10.1.76.67 version=1 app_category=Network Protocols app_desc=Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). Supported from: R75. app_id=60095597 app_properties=Allows remote connect, High Risk, Network Protocols app_rule_id={C54A11A6-BDE9-11DF-9B35-C21D241F6A6A} app_rule_name=Any Allow Log app_sig_id=60095597:1 appi_name=Telnet Protocol dst=10.9.240.147 matched_category=Network Protocols origin_sic_name=CN\\=ny1,O\\=ny..8ye75g product=Application Control proto=6 proxy_src_ip=10.0.36.27 service=50008 src=10.0.36.27