CrowdStrike Falcon Host sample event message

Use this sample event message to verify a successful integration with IBM® Security QRadar® Log Insights.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

CrowdStrike Falcon Host sample message when you use the Syslog connector

The following sample shows a detection summary event that was generated when a known malware accessed a document on the host. This event contains the details of the document and the time that the document was accessed.

LEEF:1.0|CrowdStrike|FalconHost|1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src= srcPort=49220 dst= domain=I cat=NetworkAccesses usrName=test devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=<Resource> proto=TCP url=
Table 1. QRadar Log Insights field names and highlighted values in the event payloads
QRadar Log Insights field name Highlighted values in the event payload
Event ID Suspicious Activity
Category CrowdStrike + FalconHost
Source IP
Source Port 49220
Destination IP
Destination Port 443
Event Time 2016-06-09 02:57:28
Username test