Руководство Разработчика для Cisco Cisco Firepower Management Center 2000
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
641
Understanding Legacy Data Structures
Legacy Correlation Event Data Structures
Appendix B
Detection
Engine ID
uint32
ID of the detection engine or Defense Center
that generated the correlation event. A value of
zero indicates the Defense Center. You can
obtain detection engine IDs and the detection
engine UUIDs that correlate to them by
requesting Version 3 metadata. See
more information.
Event Second
uint32
UNIX timestamp indicating the time that the
event was detected (in seconds from 01/01/
1970).
Correlation
Event ID
uint32
Correlation event identification number.
Policy ID
uint32
Identification number of the correlation policy
that was violated. See
page 182 for information about how to obtain
policy identification numbers from the database.
Rule ID
uint32
Identification number of the correlation rule that
triggered to violate the policy. See
on page 182 for information about how to obtain
policy identification numbers from the database.
Priority
uint32
Priority assigned to the event. This is an integer
value from 0 to 5.
String Block
Type
uint32
Initiates a string data block that contains the
correlation violation event description. This value
is always set to 0.
String Block
Length
uint32
Number of bytes in the event description string
block, which includes four bytes for the string
block type and four bytes for the string block
length, plus the number of bytes in the
description.
Description
string
Description of the correlation event.
Event Type
uint8
Indicates whether the correlation event was
triggered by an intrusion, discovery, or user
activity event:
• 1 — intrusion
• 1 — intrusion
• 2 — discovery
• 3 — user activity
Correlation Event 4.10.x Data Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION