Руководство Разработчика для Cisco Cisco Firepower Management Center 2000

Version 5.3

Sourcefire 3D System eStreamer Integration Guide

641

Understanding Legacy Data Structures

Legacy Correlation Event Data Structures

Appendix B

Detection

Engine ID

uint32

ID of the detection engine or Defense Center

that generated the correlation event. A value of

zero indicates the Defense Center. You can

obtain detection engine IDs and the detection

engine UUIDs that correlate to them by

requesting Version 3 metadata. See

Detection

Engine Record for 4.6.1 - 4.10.x

on page 719 for

more information.

Event Second

uint32

UNIX timestamp indicating the time that the

event was detected (in seconds from 01/01/

1970).

Correlation

Event ID

uint32

Correlation event identification number.

Policy ID

uint32

Identification number of the correlation policy

that was violated. See

Server Record

page 182 for information about how to obtain

policy identification numbers from the database.

Rule ID

uint32

Identification number of the correlation rule that

triggered to violate the policy. See

Server Record

on page 182 for information about how to obtain

policy identification numbers from the database.

Priority

uint32

Priority assigned to the event. This is an integer

value from 0 to 5.

String Block

Type

uint32

Initiates a string data block that contains the

correlation violation event description. This value

is always set to 0.

String Block

Length

uint32

Number of bytes in the event description string

block, which includes four bytes for the string

block type and four bytes for the string block

length, plus the number of bytes in the

description.

Description

string

Description of the correlation event.

Event Type

uint8

Indicates whether the correlation event was

triggered by an intrusion, discovery, or user

activity event:
• 1 — intrusion

• 2 — discovery

• 3 — user activity

Correlation Event 4.10.x Data Fields (Continued)

IELD

ATA

YPE

ESCRIPTION