Cisco Cisco Firepower Management Center 4000 Developer's Guide
4-27
FireSIGHT eStreamer Integration Guide
Chapter 4 Understanding Discovery & Connection Data Structures
Metadata for Discovery Events
IOC Name Data Block for 5.3+
This is a data block that provides the category and event type for an Indication of Compromise (IOC).
The record type is 161, with a block type of 39 in series 2. It is exposed as metadata for any event that
has IOC information. These include malware events, file events, and intrusion events.
The record type is 161, with a block type of 39 in series 2. It is exposed as metadata for any event that
has IOC information. These include malware events, file events, and intrusion events.
The following diagram shows the structure of an IOC Name data block:
Last Connection
Time
Time
uint32
Unix timestamp of the connection on which this compromise was
last seen.
last seen.
Last Counter
uint16
Counter for the connection on which this compromise was last seen.
Used to differentiate between multiple connections occurring at the
same time.
same time.
Table 4-21
IOC State Data Block Fields (continued)
Field
Data Type
Description
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Header Version (1)
Message Type (4)
Message Length
Record Type (161)
IOC Name Block Type (39)
IOC Name Block Length
IOC ID Number
Category
String Block Type (0)
String Block Length
Category...
Event Type
String Block Type (0)
String Block Length
Event Type...