Cisco Cisco Firepower Management Center 2000 Developer's Guide

String Block Type

uint32

Initiates a String data block containing the URI. This value 
is always 

0

.

String Block Length

uint32

The number of bytes included in the URI data block, 
including eight bytes for the block type and header fields 
plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web 
application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client 
application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have 
the following values:

1

 - Detect

2

 - Block

3

 - Malware Cloud Lookup

4

 - Malware Block

5

 - Malware Whitelist

6

 - Cloud Lookup Timeout

7

 - Custom Detection

8

 - Custom Detection Block

Protocol

uint8

IANA protocol number specified by the user. For example:

1

 - ICMP

4

 - IP

6

 - TCP

17

 - UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 

0

 to 

100

 based on the potentially 

malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID number of the compromise associated with this event.

Security Context

uint8(16)

ID number for the security context (virtual firewall) that the 
traffic passed through. Note that the system only populates 
this field for ASA FirePOWER devices in multi-context 
mode.