CrowdStrike Falcon Host sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage returns or line feed characters.
CrowdStrike Falcon Host sample message when you use the Syslog protocol
The following sample shows a detection summary event that was generated when a known malware accessed a document on the host. This event contains the details of the document and the time that the document was accessed.
LEEF:1.0|CrowdStrike|FalconHost|1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src=10.1.1.1 srcPort=49220 dst=10.1.1.2 domain=I cat=NetworkAccesses usrName=test devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=<Resource> proto=TCP url=https://example.com/url| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Suspicious Activity |
| Category | CrowdStrike + FalconHost |
| Source IP | 10.1.1.1 |
| Source Port | 49220 |
| Destination IP | 10.1.1.2 |
| Destination Port | 443 |
| Event Time | 2016-06-09 02:57:28 |
| Username | test |