Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
C H A P T E R
4-1
FireSIGHT eStreamer Integration Guide
4
Understanding Discovery &
Connection Data Structures
This chapter provides details about the data structures used in eStreamer messages for discovery and
connection events, as well as the metadata for those events. Discovery and connection event messages
use the same general message format and series of data blocks; the differences are in the contents of data
blocks themselves.
connection events, as well as the metadata for those events. Discovery and connection event messages
use the same general message format and series of data blocks; the differences are in the contents of data
blocks themselves.
Discovery events include two sub-categories of events:
•
Host discovery events, which identify new and changed hosts on your managed network, including
the applications running on the hosts detected from the contents of the packets, and the host
vulnerabilities.
the applications running on the hosts detected from the contents of the packets, and the host
vulnerabilities.
•
User events, which report the detection of new users and user activity, such as logins.
Connection events report information about the session traffic between your monitored hosts and all
other hosts. Connection information includes the first and last packet of the transaction, source and
destination IP address, source and destination port, and the number of packets and bytes sent and
received. If applicable, connection events also report the client application and URL involved in the
session.
other hosts. Connection information includes the first and last packet of the transaction, source and
destination IP address, source and destination port, and the number of packets and bytes sent and
received. If applicable, connection events also report the client application and URL involved in the
session.
For information about requesting discovery or connection events from the eStreamer server, see
For information about the general structure of eStreamer event data messages, see
See the following sections in this chapter for more information about discovery and connection event
data structures:
data structures:
•
provides a high-level view of the
structure that eStreamer uses for host discovery, user, and connection messages.
•
describes the record types for discovery
and connection events.
•
describes the metadata records that you can request for
context information to convert numeric and coded data to text; for example, convert the user ID in
an event to a user name.
an event to a user name.
•
describes the structure of the standard event header used
in all discovery and connection messages, and the values that can occur in the event type and event
subtype fields. The event type and subtype fields further define the structure of the data record
carried in the message.
subtype fields. The event type and subtype fields further define the structure of the data record
carried in the message.