CrowdStrike Falcon Host Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Note:
Due to formatting, paste the message format into a text editor and then remove any carriage return or line feed characters.
CrowdStrike Falcon Host sample message when you use the Syslog protocol
The following sample shows a detection summary event that was generated when a known malware accessed a document on the host. This event contains the details of the document and the time that the document was accessed.
LEEF:1.0|CrowdStrike|FalconHost|1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src=10.1.1.1 srcPort=49220 dst=10.1.1.2 domain=I cat=NetworkAccesses usrName=test devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=<Resource> proto=TCP url=https://example.com/url
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
Suspicious Activity |
|
Category |
CrowdStrike + FalconHost |
|
Source IP |
10.1.1.1 |
|
Source Port |
49220 |
|
Destination IP |
10.1.1.2 |
|
Destination Port |
443 |
|
Event Time |
2016-06-09 02:57:28 |
|
Username |
test |