Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

4-54

FireSIGHT eStreamer Integration Guide

Chapter 4 Understanding Discovery & Connection Data Structures

Metadata for Discovery Events

User Data Structures by Event Type

eStreamer builds user event messages based on the event type indicated in the discovery event header.
The following sub-sections describe the high-level structure for each event type:

•

User Modification Messages, page 4-54

•

User Information Update Message Block, page 4-54

User Modification Messages

When any of the following events occurs through system detection, a user modification message is sent:

•

a new user is detected (a New User Identity event—event type 1004, subtype 1),

•

a user is removed (a Delete User Identity event—event type 1004, subtype 3)

•

a user is dropped (a User Identity Dropped: User Limit Reached event—event type 1004, subtype 4)

User Modification event messages have a standard discovery event header (as documented in

Discovery

Event Header 5.2+, page 4-32

) and a User Information data block (as documented in

User Information

Data Block, page 4-169

). The User Information data block is block type 120 in series 1.

User Information Update Message Block

When the login changes for a user (a User Login event—event type 1004, subtype 2) detected by the
system, a user information update message is sent.

User Information Update event messages have a standard discovery event header (as documented in

Discovery Event Header 5.2+, page 4-32

) and a User Login Information data block (as documented in

User Login Information Data Block 5.1+, page 4-172

). The User Login Information data block is block

type 121 in series 1.

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Discovery Event Header

User Information Data Block