CrowdStrike Falcon Host Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting, paste the message format into a text editor and then remove any carriage return or line feed characters.
CrowdStrike Falcon Host sample message when you use the Syslog protocol
The following sample shows a detection summary event that was generated when a known malware accessed a document on the host. This event contains the details of the document and the time that the document was accessed.
LEEF:1.0|CrowdStrike|FalconHost|1.0|Suspicious Activity| devTime=2016-06-09 02:57:28 src=10.1.1.1 srcPort=49220 dst=10.1.1.2 domain=I cat=NetworkAccesses usrName=test devTimeFormat=yyyy-MM-dd HH:mm:ss connDir=0 dstPort=443 resource=<Resource> proto=TCP url=https://example.com/url
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
Suspicious Activity |
Category |
CrowdStrike + FalconHost |
Source IP |
10.1.1.1 |
Source Port |
49220 |
Destination IP |
10.1.1.2 |
Destination Port |
443 |
Event Time |
2016-06-09 02:57:28 |
Username |
test |