Cisco Firepower Threat Defense sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Cisco Firepower Threat Defense sample message when you use the Syslog protocol

The following sample shows an intrusion event that has a Generator ID (GID) and Snort IDs (SID).

Aug 14 08:59:30 192.168.0.7 SFIMS : %FTD-5-430001: Protocol: tcp, SrcIP: 10.1.1.57, DstIP: 10.5.12.209, SrcPort: 2049, DstPort: 746, Priority: 1, GID: 1, SID: 648, Revision: 18, Message: \"INDICATOR-SHELLCODE x86 NOOP\", Classification: Executable Code was Detected, User: No Authentication Required, ACPolicy: test, NAPPolicy: Balanced Security and Connectivity, InlineResult: Blocked
Table 1. Highlighted values in the Cisco Firepower Threat Defense sample event message
QRadar field name Highlighted payload values
Event ID As an intrusion event, a concatenation of the GID and SID is used.
Category As an intrusion event, the category is set to Snort.
Device Time If not provided in the DSM, Aug 14 08:59:30 is taken from the syslog header.
Source IP SrcIP
Destination IP DstIP
Source Port SrcPort
Destination Port DstPort
Protocol Protocol
Severity 5

The value in this field is converted and mapped to an appropriate QRadar severity value.