Discovery and connection event messages contain a discovery event header. It conveys the type and
subtype of the event, the time the event occurred, the device on which the event occurred, and the
structure of the event data in the message. This header is followed by the actual host discovery, user, or
connection event data. The structures associated with the different event type/subtype values are
described in

Host Discovery Structures by Event Type, page 4-36

The event type and event subtype fields of the discovery event header identify the structure of the
transmitted event message. After the structure of the event data block is determined, your program can
parse the message appropriately.

The shaded rows in the following diagram illustrate the format of the discovery event header.

Protocol

uint8

IANA protocol number specified by the user. For example:

•

- ICMP

•

- IP

•

- TCP

•

- UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from

100

based on the potentially

malicious behaviors observed during dynamic analysis.

IOC Number

uint16

ID Number of the compromise associated with this event.

Table B-10

Malware Event Data Block for 5.3 Fields (continued)

Field

Data Type

Description

Byte

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)