Cisco Stealthwatch sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco Stealthwatch sample messages when you use the Syslog protocol

Sample 1: The following sample event message shows that watched port is active.

<134>Sep 12 14:03:02 cisco.stealthwatch.test StealthWatch[4969]: LEEF:2.0|Lancope|Stealthwatch|6.8|13|0x7C|src=10.243.54.38|dst=10.100.11.12|dstPort=784|proto=6|msg=A watched port number has become active.|fullmessage=IANA-Unassigned (784/tcp) from 10.100.11.12|start=2019-09-12T14:02:30Z|end=|cat=Watch Port Active|alarmID=3X-1F6B-86U2-YUUR-7|sourceHG=Country|targetHG=Catch All|sourceHostSnapshot=https://10.36.52.20/test-page/test.html#/host/10.243.54.38|targetHostSnapshot=https://10.36.52.20/landing-page/abc.html#/host/10.100.11.12|flowCollectorName=flow|flowCollectorIP=10.20.25.23|domain=abcd.ab.example.test|exporterName=|exporterIPAddress =|exporterInfo=|targetUser=|targetHostname=|sourceUser=|alarmStatus=ACTIVE|alarmSev=Major
Table 1. Highlighted values in the Cisco Stealthwatch sample event message
QRadar field name Highlighted fields and values in the event payload
Event ID 13
Event Category Watch Port Active
Source IP src
Destination IP dst
Destination Port dstPort
Protocol proto

Sample 2: The following sample event message shows that there is suspicious activity.

<134>Sep 12 13:19:27 cisco.stealthwatch.test StealthWatch[4969]: LEEF:2.0|Lancope|Stealthwatch|6.8|99|0x7C|src=10.10.10.10|dst=10.237.198.232|dstPort=80|proto=6|msg=The host has been observed doing something bad to another host.|fullmessage=Source Host is http (80/tcp) client to target.host.name (10.237.198.232)|start=2019-09-05T08:48:34Z|end=2019-09-05T08:48:34Z|cat=Anomaly|alarmID=3Y-13Y1-QJJ2-YYA9-U|sourceHG=Department, Inside|targetHG=target, Outside|sourceHostSnapshot=https://10.10.10.20/some/path|targetHostSnapshot=https://10.10.10.20/some/path|flowCollectorName=Collector|flowCollectorIP=10.10.10.20|domain=Corporate Domain|exporterName=exporter.host.name|exporterIPAddress =10.20.30.40|exporterInfo=exporter.host.name (10.20.30.40)|targetUser=admin|targetHostname=www.host.test|sourceUser=admin|alarmStatus=ACTIVE|alarmSev=Critical
Table 2. Highlighted values in the Cisco Stealthwatch sample event message
QRadar field name Highlighted fields and values in the event payload
Event ID 99
Event Category Anomaly
Source IP src
Destination IP dst
Destination Port dstPort
Protocol proto