Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

The following table describes the fields in the Correlation Rule record.

The eStreamer service transmits the event extra data associated with an intrusion event in the Intrusion 
Event Extra Data record. The record type is always 

110

. 

The event extra data appears in an encapsulated Event Extra Data data block, which always has a data 
block type value of 

4

. (The Event Extra Data data block is a series 2 data block. For more information 

about series 2 data blocks, see 

Correlation Rule

Revision UUID

Correlation Rule Revision UUID, continued

Correlation Rule Revision UUID, continued

Correlation Rule Revision UUID, continued

Correlation Rule Revision UUID, continued.

Whitelist Rule UUID

Whtelist Rule

UUID

Whitelist Rule UUID, continued

Whitelist Rule UUID, continued

Whitelist Rule UUID, continued

Whitelist Rule UUID, continued

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Correlation Rule ID

uint32

The correlation rule ID number.

Name Length

uint16

The number of bytes included in the correlation rule name.

Name

string

The name of the correlation rule that triggered the event.

Description Length

uint16

The number of bytes included in the correlation rule description.

Description

string

The description of the correlation rule that triggered the event.

Event Type Length

uint16

The number of bytes included in the event type description.

Event Type

string

The description of the event that triggered the correlation rule.

UUID

uint8[16]

A correlation rule ID number that acts as a unique identifier for 
the correlation rule.

Revision UUID

uint8[16]

A correlation rule revision ID number that acts as a unique 
identifier for the correlation rule revision.

Whitelist UUID

uint8[16]

A correlation ID number that acts as a unique identifier for the 
event sent as a result of a whitelist violation.