|
|
|
Malware Event Block Type |
uint32 |
Initiates a malware event data block. This value is always 47. |
Malware Event Block Length |
uint32 |
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
Agent UUID |
uint8[16] |
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
Cloud UUID |
uint8[16] |
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
Malware Event Timestamp |
uint32 |
The malware event generation timestamp. |
Event Type ID |
uint32 |
The internal ID of the malware event type. |
Event Subtype ID |
uint32 |
The internal ID of the action that led to malware detection. |
Detector ID |
uint8 |
The internal ID of the detection technology that detected the malware. |
String Block Type |
uint32 |
Initiates a String data block containing the detection name. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
Detection Name |
string |
The name of the detected or quarantined malware. |
String Block Type |
uint32 |
Initiates a String data block containing the username. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
User |
string |
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
String Block Type |
uint32 |
Initiates a String data block containing the file name. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
File Name |
string |
The name of the detected or quarantined file. |
String Block Type |
uint32 |
Initiates a String data block containing the file path. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
File Path |
string |
The file path, not including the file name, of the detected or quarantined file. |
String Block Type |
uint32 |
Initiates a String data block containing the file SHA hash. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
File SHA Hash |
string |
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
File Size |
uint32 |
The size in bytes of the detected or quarantined file. |
File Type |
uint8 |
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
File Timestamp |
uint32 |
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
String Block Type |
uint32 |
Initiates a String data block containing the parent file name. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
Parent File Name |
string |
The name of the file accessing the detected or quarantined file when detection occurred. |
String Block Type |
uint32 |
Initiates a String data block containing the parent file SHA hash. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
Parent File SHA Hash |
string |
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
String Block Type |
uint32 |
Initiates a String data block containing the event description. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
Event Description |
string |
The additional event information associated with the event type. |
Device ID |
uint32 |
ID for the device that generated the event. |
Connection Instance |
uint16 |
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
Connection Counter |
uint16 |
Value used to distinguish between connection events that happen during the same second. |
Connection Event Timestamp |
uint32 |
Timestamp of the connection event. |
Direction |
uint8 |
Indicates whether the file was uploaded or downloaded. Can have the following values:
-
1 — Download
-
2 — Upload
Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
Source IP Address |
uint8[16] |
IPv4 or IPv6 address for the source of the connection. |
Destination IP Address |
uint8[16] |
IPv4 or IPv6 address for the destination of the connection. |
Application ID |
uint32 |
ID number that maps to the application using the file transfer. |
User ID |
uint32 |
Identification number for the user logged into the destination host, as identified by the system. |
Access Control Policy UUID |
uint8[16] |
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
Disposition |
uint8 |
The malware status of the file. Possible values include:
-
1 — CLEAN The file is clean and does not contain malware.
-
2 — UNKNOWN It is unknown whether the file contains malware.
-
3 — MALWARE The file contains malware.
-
4 — UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
-
5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.
|
Retrospective Disposition |
uint8 |
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
String Block Type |
uint32 |
Initiates a String data block containing the URI. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
URI |
string |
URI of the connection. |
Source Port |
uint16 |
Port number for the source of the connection. |
Destination Port |
uint16 |
Port number for the destination of the connection. |
Source Country |
uint16 |
Code for the country of the source host. |
Destination Country |
uint 16 |
Code for the country of the destination host. |
Web Application ID |
uint32 |
The internal identification number of the detected web application, if applicable. |
Client Application ID |
uint32 |
The internal identification number of the detected client application, if applicable. |
Action |
uint8 |
The action taken on the file based on the file type. Can have the following values:
-
1 — Detect
-
2 — Block
-
3 — Malware Cloud Lookup
-
4 — Malware Block
-
5 — Malware Allow List
-
6 — Cloud Lookup Timeout
-
7 — Custom Detection
-
8 — Custom Detection Block
-
9 — Archive Block (Depth Exceeded)
-
10 — Archive Block (Encrypted)
-
11 — Archive Block (Failed to Inspect)
|
Protocol |
uint8 |
IANA protocol number specified by the user. For example:
-
1 — ICMP
-
4 — IP
-
6 — TCP
-
17 — UDP
This is currently only TCP. |
Threat Score |
uint8 |
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
IOC Number |
uint16 |
ID number of the compromise associated with this event. |
Security Context |
uint8(16) |
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
SSL Certificate Fingerprint |
uint8[20] |
SHA1 hash of the SSL Server certificate. |
SSL Actual Action |
uint16 |
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:
-
0 — 'Unknown'
-
1 — 'Do Not Decrypt'
-
2 — 'Block'
-
3 — 'Block With Reset'
-
4 — 'Decrypt (Known Key)'
-
5 — 'Decrypt (Replace Key)'
-
6 — 'Decrypt (Resign)'
|
SSL Flow Status |
uint16 |
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
-
0 — 'Unknown'
-
1 — 'No Match'
-
2 — 'Success'
-
3 — 'Uncached Session'
-
4 — 'Unknown Cipher Suite'
-
5 — 'Unsupported Cipher Suite'
-
6 — 'Unsupported SSL Version'
-
7 — 'SSL Compression Used'
-
8 — 'Session Undecryptable in Passive Mode'
-
9 — 'Handshake Error'
-
10 — 'Decryption Error'
-
11 — 'Pending Server Name Category Lookup'
-
12 — 'Pending Common Name Category Lookup'
-
13 — 'Internal Error'
-
14 — 'Network Parameters Unavailable'
-
15 — 'Invalid Server Certificate Handle'
-
16 — 'Server Certificate Fingerprint Unavailable'
-
17 — 'Cannot Cache Subject DN'
-
18 — 'Cannot Cache Issuer DN'
-
19 — 'Unknown SSL Version'
-
20 — 'External Certificate List Unavailable'
-
21 — 'External Certificate Fingerprint Unavailable'
-
22 — 'Internal Certificate List Invalid'
-
23 — 'Internal Certificate List Unavailable'
-
24 — 'Internal Certificate Unavailable'
-
25 — 'Internal Certificate Fingerprint Unavailable'
-
26 — 'Server Certificate Validation Unavailable'
-
27 — 'Server Certificate Validation Failure'
-
28 — 'Invalid Action'
|
String Block Type |
uint32 |
Initiates a String data block containing the Archive SHA. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
Archive SHA |
string |
SHA1 hash of the parent archive in which the file is contained. |
String Block Type |
uint32 |
Initiates a String data block containing the Archive Name. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
Archive Name |
string |
Name of the parent archive. |
Archive Depth |
uint8 |
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of 1 . |