Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

The following topic describes other legacy correlation (compliance) data structures:

Correlation events (called compliance events in pre-5.0 versions) contain information about correlation 
policy violations. This message uses the standard eStreamer message header and specifies a record type 
of 112, followed by a correlation data block of type 116. Data block type 116 differs from its predecessor 
(block type 107) in including additional information about the associated security zone and interface.

You can request 5.0 correlation events from eStreamer only by extended request, for which you request 
event type code 31 and version code 7 in the Stream Request message (see 

 for information about submitting extended requests). You can optionally enable bit 

23 in the flags field of the initial event stream request message, to include the extended event header. 
You can also enable bit 20 in the flags field to include user metadata.

Note that the record structure includes a String block type, which is a block in series 1. For information 
about series 1 blocks, see 

.

String Block 
Length

uint32

The number of bytes included in the name String data block, 
including eight bytes for the block type and header fields plus the 
number of bytes in the Name field.

File Name or 
Disposition

string

The descriptive name or disposition of the file. If the file is clean, 
this value is 

Clean

. If the file’s disposition is unknown, the value is 

Neutral

. If the file contains malware, the file name is given.

Byt

e

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (112)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Correlation Block Type (116)