Cisco Cisco Firepower Management Center 4000 Developer's Guide
B-40
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Malware Event Data Structures
String Block Length
uint32
The number of bytes included in the File Path String data
block, including eight bytes for the block type and header
fields plus the number of bytes in the File Path field.
block, including eight bytes for the block type and header
fields plus the number of bytes in the File Path field.
File Path
string
The file path, not including the file name, of the detected or
quarantined file.
quarantined file.
String Block Type
uint32
Initiates a String data block containing the file SHA hash.
This value is always
This value is always
0
.
String Block Length
uint32
The number of bytes included in the File SHA Hash String
data block, including eight bytes for the block type and
header fields plus the number of bytes in the File SHA Hash
field.
data block, including eight bytes for the block type and
header fields plus the number of bytes in the File SHA Hash
field.
File SHA Hash
string
The rendered string of the SHA-256 hash value of the
detected or quarantined file.
detected or quarantined file.
File Size
uint32
The size in bytes of the detected or quarantined file.
File Type
uint8
The file type of the detected or quarantined file.
File Timestamp
uint32
UNIX timestamp (seconds since 01/01/1970) of the creation
of the detected or quarantined file.
of the detected or quarantined file.
String Block Type
uint32
Initiates a String data block containing the parent file name.
This value is always
This value is always
0
.
String Block Length
uint32
The number of bytes included in the Parent File Name String
data block, including eight bytes for the block type and
header fields plus the number of bytes in the Parent File
Name field.
data block, including eight bytes for the block type and
header fields plus the number of bytes in the Parent File
Name field.
Parent File Name
string
The name of the file accessing the detected or quarantined
file when detection occurred.
file when detection occurred.
String Block Type
uint32
Initiates a String data block containing the parent file SHA
hash. This value is always
hash. This value is always
0
.
String Block Length
uint32
The number of bytes included in the Parent File SHA Hash
String data block, including eight bytes for the block type
and header fields plus the number of bytes in the Parent File
SHA Hash field.
String data block, including eight bytes for the block type
and header fields plus the number of bytes in the Parent File
SHA Hash field.
Parent File SHA Hash string
The SHA-256 hash value of the parent file accessing the
detected or quarantined file when detection occurred.
detected or quarantined file when detection occurred.
String Block Type
uint32
Initiates a String data block containing the event description.
This value is always
This value is always
0
.
String Block Length
uint32
The number of bytes included in the Event Description
String data block, including eight bytes for the block type
and header fields plus the number of bytes in the Event
Description field.
String data block, including eight bytes for the block type
and header fields plus the number of bytes in the Event
Description field.
Event Description
string
The additional event information associated with the event
type.
type.
Device ID
uint32
ID for the device that generated the event.
Table B-8
Malware Event Data Block for 5.1.1.x Fields (continued)
Field
Data Type
Description