Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
3-21
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
The following table describes the fields in the Correlation Rule record.
Intrusion Event Extra Data Record
The eStreamer service transmits the event extra data associated with an intrusion event in the Intrusion
Event Extra Data record. The record type is always
Event Extra Data record. The record type is always
110
.
The event extra data appears in an encapsulated Event Extra Data data block, which always has a data
block type value of
block type value of
4
. (The Event Extra Data data block is a series 2 data block. For more information
about series 2 data blocks, see
Correlation Rule
Revision UUID
Correlation Rule Revision UUID, continued
Correlation Rule Revision UUID, continued
Correlation Rule Revision UUID, continued
Correlation Rule Revision UUID, continued.
Whitelist Rule UUID
Whtelist Rule
UUID
Whitelist Rule UUID, continued
Whitelist Rule UUID, continued
Whitelist Rule UUID, continued
Whitelist Rule UUID, continued
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table 3-10
Correlation Rule Record Fields
Field
Data Type
Description
Correlation Rule ID
uint32
The correlation rule ID number.
Name Length
uint16
The number of bytes included in the correlation rule name.
Name
string
The name of the correlation rule that triggered the event.
Description Length
uint16
The number of bytes included in the correlation rule description.
Description
string
The description of the correlation rule that triggered the event.
Event Type Length
uint16
The number of bytes included in the event type description.
Event Type
string
The description of the event that triggered the correlation rule.
UUID
uint8[16]
A correlation rule ID number that acts as a unique identifier for
the correlation rule.
the correlation rule.
Revision UUID
uint8[16]
A correlation rule revision ID number that acts as a unique
identifier for the correlation rule revision.
identifier for the correlation rule revision.
Whitelist UUID
uint8[16]
A correlation ID number that acts as a unique identifier for the
event sent as a result of a whitelist violation.
event sent as a result of a whitelist violation.