Cisco Cisco Firepower Management Center 4000 Guida Dello Sviluppatore
B-34
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Malware Event Data Structures
The following table describes the fields in the malware event data block.
Event
Description
String Block Type (0)
String Block Length
Event Description...
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table B-7
Malware Event Data Block Fields
Field
Data Type
Description
Malware Event Block
Type
Type
uint32
Initiates a malware event data block. This value is always
16
.
Malware Event Block
Length
Length
uint32
Total number of bytes in the malware event data block,
including eight bytes for the malware event block type and
length fields, plus the number of bytes of data that follows.
including eight bytes for the malware event block type and
length fields, plus the number of bytes of data that follows.
Agent UUID
uint8[16]
The internal unique ID of the FireAMP agent reporting the
malware event.
malware event.
Cloud UUID
uint8[16]
The internal unique ID of the malware awareness network
from which the malware event originated.
from which the malware event originated.
Timestamp
uint32
The malware event generation timestamp.
Event Type ID
uint32
The internal ID of the malware event type.
Event Subtype ID
uint8
The internal ID of the action that led to malware detection.
Host IP Address
uint32
The host IP address associated with the malware event.
Detector ID
uint8
The internal ID of the detection technology that detected the
malware.
malware.
String Block Type
uint32
Initiates a String data block containing the detection name.
This value is always
This value is always
0
.
String Block Length
uint32
The number of bytes included in the Detection Name String
data block, including eight bytes for the block type and
header fields plus the number of bytes in the Detection Name
field.
data block, including eight bytes for the block type and
header fields plus the number of bytes in the Detection Name
field.
Detection Name
string
The name of the detected or quarantined malware.
String Block Type
uint32
Initiates a String data block containing the username. This
value is always
value is always
0
.
String Block Length
uint32
The number of bytes included in the User String data block,
including eight bytes for the block type and header fields plus
the number of bytes in the User field.
including eight bytes for the block type and header fields plus
the number of bytes in the User field.
User
string
The user of the computer where the Cisco Agent is installed
and where the malware event occurred. Note that these users
are not tied to user discovery.
and where the malware event occurred. Note that these users
are not tied to user discovery.