CrowdStrike Falcon Host sample event message

Use this sample event message to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

CrowdStrike Falcon Host sample message when you use the Syslog protocol

The following sample shows a detection summary event that was generated when a known malware accessed a document on the host. This event contains the details of the document and the time that the document was accessed.

LEEF:1.0|CrowdStrike|FalconHost|1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src= srcPort=49220 dst= domain=I cat=NetworkAccesses usrName=test devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=<Resource> proto=TCP url=
Table 1. QRadar field names and highlighted values in the event payloads
QRadar field name Highlighted values in the event payload
Event ID Suspicious Activity
Category CrowdStrike + FalconHost
Source IP
Source Port 49220
Destination IP
Destination Port 443
Event Time 2016-06-09 02:57:28
Username test