Cisco Stealthwatch sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Cisco Stealthwatch sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows that watched port is active.
<134>Sep 12 14:03:02 cisco.stealthwatch.test StealthWatch[4969]: LEEF:2.0|Lancope|Stealthwatch|6.8|13|0x7C|src=10.243.54.38|dst=10.100.11.12|dstPort=784|proto=6|msg=A watched port number has become active.|fullmessage=IANA-Unassigned (784/tcp) from 10.100.11.12|start=2019-09-12T14:02:30Z|end=|cat=Watch Port Active|alarmID=3X-1F6B-86U2-YUUR-7|sourceHG=Country|targetHG=Catch All|sourceHostSnapshot=https://10.36.52.20/test-page/test.html#/host/10.243.54.38|targetHostSnapshot=https://10.36.52.20/landing-page/abc.html#/host/10.100.11.12|flowCollectorName=flow|flowCollectorIP=10.20.25.23|domain=abcd.ab.example.test|exporterName=|exporterIPAddress =|exporterInfo=|targetUser=|targetHostname=|sourceUser=|alarmStatus=ACTIVE|alarmSev=Major
QRadar field name | Highlighted fields and values in the event payload |
---|---|
Event ID | 13 |
Event Category | Watch Port Active |
Source IP | src |
Destination IP | dst |
Destination Port | dstPort |
Protocol | proto |
Sample 2: The following sample event message shows that there is suspicious activity.
<134>Sep 12 13:19:27 cisco.stealthwatch.test StealthWatch[4969]: LEEF:2.0|Lancope|Stealthwatch|6.8|99|0x7C|src=10.10.10.10|dst=10.237.198.232|dstPort=80|proto=6|msg=The host has been observed doing something bad to another host.|fullmessage=Source Host is http (80/tcp) client to target.host.name (10.237.198.232)|start=2019-09-05T08:48:34Z|end=2019-09-05T08:48:34Z|cat=Anomaly|alarmID=3Y-13Y1-QJJ2-YYA9-U|sourceHG=Department, Inside|targetHG=target, Outside|sourceHostSnapshot=https://10.10.10.20/some/path|targetHostSnapshot=https://10.10.10.20/some/path|flowCollectorName=Collector|flowCollectorIP=10.10.10.20|domain=Corporate Domain|exporterName=exporter.host.name|exporterIPAddress =10.20.30.40|exporterInfo=exporter.host.name (10.20.30.40)|targetUser=admin|targetHostname=www.host.test|sourceUser=admin|alarmStatus=ACTIVE|alarmSev=Critical
QRadar field name | Highlighted fields and values in the event payload |
---|---|
Event ID | 99 |
Event Category | Anomaly |
Source IP | src |
Destination IP | dst |
Destination Port | dstPort |
Protocol | proto |