McAfee MVISION Cloud sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
McAfee MVISION Cloud sample message when you use the Syslog protocol
The following sample event message shows that a CAP incident occurred.
<14>Dec 21 18:00:47 mcafee.mvision.test LEEF:1.0|McAfee|MVISION Cloud|4.0.2.1-SNAPSHOT|Incident|cat=Alert.Policy.CloudAccess devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTime=Sep 18 2018 03:28:08.000 UTC usrName=user@user.example.com sev=10 activityName=[Created] actorIdType=USER incidentId=35227 riskSeverity=high collaborationSharedLink=false contentItemHierarchy=Confidential.docx contentItemId=AAAAAAAA1 contentItemName=Confidential.docx informationContentItemParent=Confidential.docx FileSize=29344 contentItemType=FILE externalCollaborators=[] policyId=1 policyName=Enterprise DLP totalMatchCount=0 instanceId=4008 instanceName=Default response=[Deleted] serviceNames=[Slack] status=new updatedOn=Sep 25 2018 09:19:51.480 UTC
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Incident |
Event Category | Alert.Policy.CloudAccess |
Username | user@user.example.com |
Device Time | Sep 18 2018 03:28:08.000 UTC (extracted from the date and time fields) |