CrowdStrike Falcon Host sample event message

Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

CrowdStrike Falcon Host sample message when you use the Syslog protocol

The following sample shows a detection summary event that was generated when a known malware accessed a document on the host. This event contains the details of the document and the time that the document was accessed.

LEEF:1.0|CrowdStrike|FalconHost|1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src=10.1.1.1 srcPort=49220 dst=10.1.1.2 domain=I cat=NetworkAccesses usrName=test devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=<Resource> proto=TCP url=https://example.com/url
Table 1. QRadar field names and highlighted values in the event payloads
QRadar field name Highlighted values in the event payload
Event ID Suspicious Activity
Category CrowdStrike + FalconHost
Source IP 10.1.1.1
Source Port 49220
Destination IP 10.1.1.2
Destination Port 443
Event Time 2016-06-09 02:57:28
Username test