Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
3-15
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
User Record
When you request metadata, you can retrieve information about the users referenced in events generated
by components in your FireSIGHT System. The eStreamer service transmits metadata containing user
information for an event within a User record, the format of which is shown below. The user metadata
record can be used to determine a user name associated with an event by correlating the metadata with
the user ID value from a User Vulnerability Change Data Block, User Host Deletion Data Block, User
Service Deletion Data Block, User Criticality Change Blocks, Attribute Definition Data Block, User
Attribute Value Data Block, or Scan Result Data Block. (User information is sent when one of the
metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See
by components in your FireSIGHT System. The eStreamer service transmits metadata containing user
information for an event within a User record, the format of which is shown below. The user metadata
record can be used to determine a user name associated with an event by correlating the metadata with
the user ID value from a User Vulnerability Change Data Block, User Host Deletion Data Block, User
Service Deletion Data Block, User Criticality Change Blocks, Attribute Definition Data Block, User
Attribute Value Data Block, or Scan Result Data Block. (User information is sent when one of the
metadata flags—bits 1, 14, 15, or 20 in the Request Flags field of a request message—is set. See
.) Note that the Record Type field, which appears after the Message Length field, has a
value of
62
, indicating a User record.
The following table describes the fields in the User record.
String Block
Length
Length
uint32
Number of bytes in the event description string block. This
includes the four bytes for the string block type, the four bytes for
the string block length, and the number of bytes in the description.
includes the four bytes for the string block type, the four bytes for
the string block length, and the number of bytes in the description.
Description
string
Description of the impact event.
Table 3-5
Impact Event Data Fields (continued)
Field
Data Type
Description
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (62)
Record Length
User ID
Name Length
Name...
Table 3-6
User Record Fields
Field
Data Type
Description
User ID
uint32
The user ID number.
Name Length
uint32
The number of bytes included in the user name.
Name
string
The name of the user.