Cisco Cisco Firepower Management Center 2000 Guia Do Programador
3-39
FireSIGHT eStreamer Integration Guide
Chapter 3 Understanding Intrusion and Correlation Data Structures
Intrusion Event and Metadata Record Types
Note that the record structure includes a String block type, which is a block in series 1. For information
about series 1 blocks, see
about series 1 blocks, see
.
Egress Zone UUID, continued
Egress Zone UUID, continued
Source IPv6 Address
Source IPv6 Address
Source IPv6 Address, continued
Source IPv6 Address continued
Source IPv6 Address, continued
Destination IPv6
Address
Destination IPv6 Address
Destination IPv6 Address, continued
Destination IPv6 Address, continued
Destination IPv6 Address, continued
Byte
0
1
2
3
Bit
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Table 3-24
Correlation Event 5.1+ Data Fields
Field
Data Type
Description
Correlation
Block Type
Block Type
uint32
Indicates a correlation event data block follows. This field always has
a value of
a value of
128
. See
Correlation
Block Length
Block Length
uint32
Length of the correlation data block, which includes 8 bytes for the
correlation block type and length plus the correlation data that
follows.
correlation block type and length plus the correlation data that
follows.
Device ID
uint32
Internal identification number of the managed device or Defense
Center that generated the correlation event. A value of
Center that generated the correlation event. A value of
0
indicates the
Defense Center. You can obtain managed device names by requesting
Version 3 metadata. See
Version 3 metadata. See
for more information.
(Correlation)
Event Second
Event Second
uint32
UNIX timestamp indicating the time that the correlation event was
generated (in seconds from 01/01/1970).
generated (in seconds from 01/01/1970).
Event ID
uint32
Correlation event identification number.
Policy ID
uint32
Identification number of the correlation policy that was violated. See
identification numbers from the database.