Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
4-25
FireSIGHT eStreamer Integration Guide
Chapter 4 Understanding Discovery & Connection Data Structures
Metadata for Discovery Events
The following table describes the fields in the Access Control Rule ID data block.
IOC State Data Block for 5.3+
The IOC State data block provides information about an Indication of Compromise (IOC). It is block
type of 150 in series 1. It is used by the host tracker to store information about a compromise on a host.
The following diagram shows the structure of an IOC State data block:
type of 150 in series 1. It is used by the host tracker to store information about a compromise on a host.
The following diagram shows the structure of an IOC State data block:
Table 4-20
Access Control Rule Reason Metadata Fields
Field
Data Type
Description
Access Control Rule
Reason Block Type
Reason Block Type
uint32
Initiates an Access Control Rule Reason block. This value is
always
always
21
. This is a series 2 data block.
Access Control Rule
Reason Block Length
Reason Block Length
uint32
Total number of bytes in the Access Control Rule Reason
block, including eight bytes for the Access Control Rule
Reason block type and length fields, plus the number of bytes
of data that follows.
block, including eight bytes for the Access Control Rule
Reason block type and length fields, plus the number of bytes
of data that follows.
Access Control Rule
Reason
Reason
uint16
The reason the Access Control rule logged the connection.
String Block Type
uint32
Initiates a String data block containing the descriptive name
associated with the access control rule reason. This value is
always
associated with the access control rule reason. This value is
always
0
.
String Block Length
uint32
The number of bytes included in the name String data block,
including eight bytes for the block type and header fields plus
the number of bytes in the Description field.
including eight bytes for the block type and header fields plus
the number of bytes in the Description field.
Description
string
Description of the Access Control rule reason.
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
IOC State Block Type (150)
IOC State Block Length
IOC ID Number
Disabled
First Seen
First Seen, continued
First Event ID
First Event ID, cont.
First Device ID
First Device ID, cont.
First Instance ID
First Connection Time
First Connection Time, cont.
First Counter
First Counter, cont.
Last Seen
Last Seen, cont.
Last Event ID