Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
4-160
FireSIGHT eStreamer Integration Guide
Chapter 4 Understanding Discovery & Connection Data Structures
User Data Blocks
User Data Blocks
User data blocks appear in user event messages. They are a subset of the series 1 data blocks. For
information on the general format of series 1 data blocks, see
information on the general format of series 1 data blocks, see
Note
The data block length field of the user data block header contains the number of bytes in the data block,
including the eight bytes of the two data block header fields.
including the eight bytes of the two data block header fields.
The following table lists the user data blocks that can appear in user event messages. Data blocks are
listed by data block type. Current data blocks are the latest versions. Legacy blocks are supported but
not produced by the current version of the FireSIGHT System.
listed by data block type. Current data blocks are the latest versions. Legacy blocks are supported but
not produced by the current version of the FireSIGHT System.
Table 4-83
User Data Block Type
Type
Content
Data Block
Category
Category
Description
73
User Login
Information
Information
Legacy
Contains changes in login information for users detected
by the system. See
by the system. See
for more information. The successor
block type introduced for version 5.0 has the same
structure as block type 73 but with different data in the
fields.
structure as block type 73 but with different data in the
fields.
74
User Account
Update Message
Update Message
Current
Contains changes in user account information. See
more information.
75
User
Information for
4.7 - 4.10.x
Information for
4.7 - 4.10.x
Legacy
Contains changes in information for users detected by the
system. See
system. See
for
more information. The successor block type 120
introduced for version 5.0 has the same structure as block
type 75.
introduced for version 5.0 has the same structure as block
type 75.
120
User
Information for
5.0+
Information for
5.0+
Current
Contains changes in information for users detected by the
system. See
system. See
for
more information. Supersedes block type 75.
121
User Login
Information
Information
Legacy
Contains changes in login information for users detected
by the system. See
by the system. See
for more information. Differs from
block 73 in the content of the Protocol field, which stores
the Version 5.0+ application ID for the application
protocol ID detected in the event. The successor block
introduced for version 5.1 has block type 127.
the Version 5.0+ application ID for the application
protocol ID detected in the event. The successor block
introduced for version 5.1 has block type 127.
127
User Login
Information
Information
Current
Contains changes in login information for users detected
by the system. See
by the system. See
for more information. It supersedes
block type 121.
150
IOC State
Current
Contains information about compromises. See
for more information.