McAfee MVISION Cloud sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

McAfee MVISION Cloud sample message when you use the Syslog protocol

The following sample event message shows that a CAP incident occurred.

<14>Dec 21 18:00:47 mcafee.mvision.test LEEF:1.0|McAfee|MVISION Cloud|4.0.2.1-SNAPSHOT|Incident|cat=Alert.Policy.CloudAccess    devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz      devTime=Sep 18 2018 03:28:08.000 UTC    usrName=user@user.example.com   sev=10  activityName=[Created]  actorIdType=USER        incidentId=35227        riskSeverity=high       collaborationSharedLink=false   contentItemHierarchy=Confidential.docx  contentItemId=AAAAAAAA1 contentItemName=Confidential.docx       informationContentItemParent=Confidential.docx  FileSize=29344  contentItemType=FILE    externalCollaborators=[]        policyId=1      policyName=Enterprise DLP       totalMatchCount=0       instanceId=4008 instanceName=Default    response=[Deleted]      serviceNames=[Slack]    status=new      updatedOn=Sep 25 2018 09:19:51.480 UTC
Table 1. QRadar field names and highlighted values in the event payload
QRadar field name Highlighted values in the event payload
Event ID Incident
Event Category Alert.Policy.CloudAccess
Username user@user.example.com
Device Time Sep 18 2018 03:28:08.000 UTC (extracted from the date and time fields)