Cisco Firepower Threat Defense sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage returns or line feed characters.
Cisco Firepower Threat Defense sample message when you use the Syslog protocol
The following sample shows an intrusion event that has a Generator ID (GID) and Snort IDs (SID).
Aug 14 08:59:30 192.168.0.7 SFIMS : %FTD-5-430001: Protocol: tcp, SrcIP: 10.1.1.57, DstIP: 10.5.12.209, SrcPort: 2049, DstPort: 746, Priority: 1, GID: 1, SID: 648, Revision: 18, Message: \"INDICATOR-SHELLCODE x86 NOOP\", Classification: Executable Code was Detected, User: No Authentication Required, ACPolicy: test, NAPPolicy: Balanced Security and Connectivity, InlineResult: Blocked
QRadar field name | Highlighted payload values |
---|---|
Event ID | As an intrusion event, a concatenation of the GID and SID is used. |
Category | As an intrusion event, the category is set to Snort. |
Device Time | If not provided in the DSM, Aug 14 08:59:30 is taken from the syslog header. |
Source IP | SrcIP |
Destination IP | DstIP |
Source Port | SrcPort |
Destination Port | DstPort |
Protocol | Protocol |
Severity | 5
The value in this field is converted and mapped to an appropriate QRadar severity value. |