Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
2-2
FireSIGHT System Remediation API Guide
Chapter 2 Planning and Packaging Your Remediation Module
Data Available from the Remediation Subsystem
See the following sections for more information:
•
describes how event data is provided to your remediation module and lists the
correlation event data available to your module.
•
explains how
instance.config
files are made available to
your remediation module and describes the types of data they may include.
Event Data
Event data is one type of information available to your remediation module. Event is information about
intrusion, correlation, and other event types that the Defense Center generates when rules in a correlation
policy trigger. You specify the event data fields to be sent for each remediation type in your module using
the
intrusion, correlation, and other event types that the Defense Center generates when rules in a correlation
policy trigger. You specify the event data fields to be sent for each remediation type in your module using
the
pe_item
element in the
module.template
file.
When the remediation daemon sends event data to your remediation module, it passes the name of the
remediation first, followed by the
remediation first, followed by the
pe_item
fields in the order in which they appear in
module.template
.
The remediation daemon handles any undefined
pe_item
fields from the database differently depending
on whether they field is marked as optional or required in module.template. See
.
For details on specifying event data for remediations, see
. When
specifying the
pe_item
element, you must use the field names provided in the tables below.
The following table describes data available about the original event that triggered the correlation policy
violation. Note that some fields in this table are event specific. These fields are set to zero when not
applicable for the specific type of triggering event.
violation. Note that some fields in this table are event specific. These fields are set to zero when not
applicable for the specific type of triggering event.
Table 2-2
Triggering Event Data
Name
Description
Field
Type
Bytes
Transport
Protocol
Protocol
The transport protocol (TCP, UDP, IP, ICMP) of the
packet that triggered the intrusion or discovery event that
caused the policy violation.
packet that triggered the intrusion or discovery event that
caused the policy violation.
ip_protocol
uint8_t
1
Network Protocol
The network protocol (for example, ethernet) of the
packet that triggered the intrusion or discovery event that
caused the policy violation.
packet that triggered the intrusion or discovery event that
caused the policy violation.
net_protocol
uint16_t
2
Triggering Event
Type
Type
A numeric identifier for the type of event that triggered
the correlation event. Values are:
the correlation event. Values are:
1 = intrusion
2 = network discovery, connection, or connection
summary
summary
3 = user awareness
4 = white list
event_type
uint8_t
1
Triggering Event
ID
ID
An internal identifier for the event that triggered the
correlation event. Set only for intrusion events. Set to 0
for other event types.
correlation event. Set only for intrusion events. Set to 0
for other event types.
event_id
uint32_t
4