Vectra Networks Vectra sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: The IBM
QRadar DSM for Vectra Networks
Vectra is deprecated.
To continue taking advantage of this integration, please download the Vectra Networks Vectra DSM from the IBM Security App Exchange website (https://exchange.xforce.ibmcloud.com/hub/extension/47f3e9afff5e0281d6684bb633d769f2).
Tip: Due to formatting issues, paste the message format into a text editor and then
remove any carriage return or line feed characters.
Vectra Networks Vectra sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows when samba is exploited.
<13>Jul 9 07:54:46 vectranetworks.vectra.test vectra_cef -: CEF:0|Vectra Networks|X Series|4.2|smb_brute_force|SMB Brute-Force|7|externalId=9481 cat=LATERAL MOVEMENT dvc=10.97.41.41 dvchost=10.97.41.41 shost=hostname123.example.com src=10.125.64.136 flexNumber1Label=threat flexNumber1=70 flexNumber2Label=certainty flexNumber2=59 cs4Label=Vectra Event URL cs4=https://www.Qradar.test/paths/resources1.ext cs5Label=triaged cs5=False dst=10.160.0.145 dhost= proto= dpt=445 out=None in=None start=1531119062000 end=1531119099000| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | SMB Brute-Force |
| Event Category | LATERAL MOVEMENT |
| Source IP | 10.125.64.136 |
| Destination IP | 10.160.0.145 |
| Destination Port | 445 |
Sample 2: The following sample event message shows that there is suspicious activity.
<13>Oct 22 07:17:40 vectranetworks.vectra.test vectra_cef -: CEF:0|Vectra Networks|X Series|4.5|kerberos_account_anomaly|Suspicious Kerberos Account|1|externalId=13841 cat=LATERAL MOVEMENT dvc=10.97.41.41 dvchost=10.97.41.41 shost=spek006odc src=10.97.48.6 flexNumber1Label=threat flexNumber1=10 flexNumber2Label=certainty flexNumber2=95 cs4Label=Vectra Event URL cs4=https://www.Qradar.test/paths/resources1.ext cs5Label=triaged cs5=False dst=10.160.0.90 dhost= proto= dpt=80 out=None in=None start=1540183389000 end=1540185634000| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Suspicious Kerberos Account |
| Event Category | LATERAL MOVEMENT |
| Source IP | 10.97.48.6 |
| Destination IP | 10.160.0.90 |
| Destination Port | 80 |