Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
3-11
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
MPLS Label
uint32
MPLS label.
VLAN ID
uint16
Indicates the ID of the VLAN where the packet originated.
Pad
uint16
Reserved for future use.
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the intrusion
policy.
policy.
User ID
uint32
The internal identification number for the user, if applicable.
Web
Application ID
Application ID
uint32
The internal identification number for the web application, if
applicable.
applicable.
Client
Application ID
Application ID
uint32
The internal identification number for the client application, if
applicable.
applicable.
Application
Protocol ID
Protocol ID
uint32
The internal identification number for the application protocol, if
applicable.
applicable.
Access Control
Rule ID
Rule ID
uint32
A rule ID number that acts as a unique identifier for the access control
rule.
rule.
Access Control
Policy UUID
Policy UUID
uint8[16]
A policy ID number that acts as a unique identifier for the access
control policy.
control policy.
Ingress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the ingress
interface.
interface.
Egress Interface
UUID
UUID
uint8[16]
An interface ID number that acts as a unique identifier for the egress
interface.
interface.
Ingress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the ingress
security zone.
security zone.
Egress Security
Zone UUID
Zone UUID
uint8[16]
A zone ID number that acts as a unique identifier for the egress
security zone.
security zone.
Connection
Timestamp
Timestamp
uint32
UNIX timestamp (seconds since 01/01/1970) of the connection event
associated with the intrusion event.
associated with the intrusion event.
Connection
Instance ID
Instance ID
uint16
Numerical ID of the Snort instance on the managed device that
generated the connection event.
generated the connection event.
Connection
Counter
Counter
uint16
Value used to distinguish between connection events that happen
during the same second.
during the same second.
Source Country
uint16
Code for the country of the source host.
Destination
Country
Country
uint16
Code for the country of the destination host.
IOC Number
uint16
ID number of the compromise associated with this event.
Security
Context
Context
uint8(16)
ID number for the security context (virtual firewall) that the traffic
passed through. Note that the system only populates this field for
ASA FirePOWER devices in multi-context mode.
passed through. Note that the system only populates this field for
ASA FirePOWER devices in multi-context mode.
Table 3-4
Intrusion Event Record 5.3.1+ Fields (continued)
Field
Data Type
Description