Cisco Cisco Firepower Management Center 4000 Guide Du Développeur
4-29
FireSIGHT eStreamer Integration Guide
Chapter 4 Understanding Discovery & Connection Data Structures
Metadata for Discovery Events
Security Intelligence Category Metadata
The eStreamer service transmits metadata containing information about the Security Intelligence
category within a Security Intelligence Category record, the format of which is shown below. Access
control rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field
of a request message—is set. See
category within a Security Intelligence Category record, the format of which is shown below. Access
control rule reason metadata is sent when the Version 4 metadata flag—bit 20 in the Request Flags field
of a request message—is set. See
. Note that the Record Type field, which
appears after the Message Length field, has a value of
280
, indicating a Security Intelligence Category
String Block
Length
Length
uint32
The number of bytes included in the name String data block,
including eight bytes for the block type and header fields plus the
number of bytes in the Event Type field.
including eight bytes for the block type and header fields plus the
number of bytes in the Event Type field.
Event Type
string
The event type for the compromise. Possible values include:
•
Adobe Reader launched shell
•
Dropper Infection Detected by FireAMP
•
Excel Compromise Detected by FireAMP
•
Excel launched shell
•
Impact 1 Intrusion Event - attempted-admin
•
Impact 1 Intrusion Event - attempted-user
•
Impact 1 Intrusion Event - successful-admin
•
Impact 1 Intrusion Event - successful-user
•
Impact 1 Intrusion Event - web-application-attack
•
Impact 2 Intrusion Event - attempted-admin
•
Impact 2 Intrusion Event - attempted-user
•
Impact 2 Intrusion Event - successful-admin
•
Impact 2 Intrusion Event - successful-user
•
Impact 2 Intrusion Event - web-application-attack
•
Intrusion Event - exploit-kit
•
Intrusion Event - malware-backdoor
•
Intrusion Event - malware-CnC
•
Java Compromise Detected by FireAMP
•
Java launched shell
•
PDF Compromise Detected by FireAMP
•
PowerPoint Compromise Detected by FireAMP
•
PowerPoint launched shell
•
QuickTime Compromise Detected by FireAMP
•
QuickTime launched shell
•
Security Intelligence Event - CnC
•
Suspected Botnet Detected by FireAMP
•
Threat Detected by FireAMP - Subtype is 'executed'
•
Threat Detected by FireAMP - Subtype is not 'executed'
•
Threat Detected in File Transfer - Action is not
'block'
•
Word Compromise Detected by FireAMP
•
Word launched shell
Table 4-22
IOC Name Data Block Fields (continued)
Field
Data Type
Description