Vectra Networks Vectra Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Note:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Vectra Networks Vectra Sample Messages when you use the Syslog Protocol
Sample 1: The following sample event message shows when samba is exploited.
<13>Jul 9 07:54:46 vectranetworks.vectra.test vectra_cef -: CEF:0|Vectra Networks|X Series|4.2| smb_brute_force|SMB Brute-Force|7|externalId=9481 cat=LATERAL MOVEMENT dvc=10.97.41.41 dvchost=10.97.41.41 shost=hostname123.example.com src=10.125.64.136 flexNumber1Label=threat flexNumber1=70 flexNumber2Label=certainty flexNumber2=59 cs4Label=Vectra Event URL cs4=https:// www.Qradar.test/paths/resources1.ext cs5Label=triaged cs5=False dst=10.160.0.145 dhost= proto= dpt=445 out=None in=None start=1531119062000 end=1531119099000
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
SMB Brute-Force |
|
Event Category |
LATERAL MOVEMENT |
|
Source IP |
10.125.64.136 |
|
Destination IP |
10.160.0.145 |
|
Destination Port |
445 |
Sample 2: The following sample event message shows that there is suspicious activity.
<13>Oct 22 07:17:40 vectranetworks.vectra.test vectra_cef -: CEF:0|Vectra Networks|X Series|4.5| kerberos_account_anomaly|Suspicious Kerberos Account|1|externalId=13841 cat=LATERAL MOVEMENT dvc=10.97.41.41 dvchost=10.97.41.41 shost=spek006odc src=10.97.48.6 flexNumber1Label=threat flexNumber1=10 flexNumber2Label=certainty flexNumber2=95 cs4Label=Vectra Event URL cs4=https:// www.Qradar.test/paths/resources1.ext cs5Label=triaged cs5=False dst=10.160.0.90 dhost= proto= dpt=80 out=None in=None start=1540183389000 end=1540185634000
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
Suspicious Kerberos Account |
|
Event Category |
LATERAL MOVEMENT |
|
Source IP |
10.97.48.6 |
|
Destination IP |
10.160.0.90 |
|
Destination Port |
80 |