Cisco Firepower Threat Defense sample event message
Use this sample event message to verify a successful integration with IBM® QRadar®.
Cisco Firepower Threat Defense sample message when you use the Syslog protocol
The following sample shows an intrusion event that has a Generator ID (GID) and Snort IDs (SID).
Aug 14 08:59:30 192.168.0.7 SFIMS : %FTD-5-430001: Protocol: tcp, SrcIP: 10.1.1.57, DstIP: 10.5.12.209, SrcPort: 2049, DstPort: 746, Priority: 1, GID: 1, SID: 648, Revision: 18, Message: \"INDICATOR-SHELLCODE x86 NOOP\", Classification: Executable Code was Detected, User: No Authentication Required, ACPolicy: test, NAPPolicy: Balanced Security and Connectivity, InlineResult: Blocked
|QRadar field name||Highlighted payload values|
|Event ID||As an intrusion event, a concatenation of the GID and SID is used.|
|Category||As an intrusion event, the category is set to Snort.|
|Device Time||If not provided in the DSM, Aug 14 08:59:30 is taken from the syslog header.|
The value in this field is converted and mapped to an appropriate QRadar severity value.