- Firepower System Event Streamer Integration Guide, Version 6.7.0
- Introduction to Event Streamer
- Understanding the eStreamer Application Protocol
- Understanding Intrusion and Correlation Data Structures
- Understanding Discovery & Connection Data Structures
- Understanding Host Data Structures
- Configuring eStreamer
- Data Structure Examples
- Understanding Legacy Data Structures
Firepower System Event Streamer Integration Guide, Version 6.7.0
- Updated:
- February 4, 2021
Chapter: Understanding Legacy Data Structures
- Legacy Intrusion Data Structures
- Legacy Malware Event Data Structures
- Legacy Discovery Data Structures
- Legacy Discovery Event Header
- Legacy Server Data Blocks
- Attribute Address Data Block for 5.0 - 5.1.1.x
- Legacy Client Application Data Blocks
- Legacy Scan Result Data Blocks
- Legacy User Login Data Blocks
- User Login Information Data Block 6.1.x
- Legacy Host Profile Data Blocks
- Legacy OS Fingerprint Data Blocks
- Connection Statistics Data Block 5.0 - 5.0.2
- Connection Statistics Data Block 5.1
- Connection Statistics Data Block 5.2.x
- Connection Chunk Data Block for 5.0 - 5.1
- Connection Chunk Data Block for 5.1.1-6.0.x
- Connection Statistics Data Block 5.1.1.x
- Connection Statistics Data Block 5.3
- Connection Statistics Data Block 5.3.1
- Connection Statistics Data Block 5.4
- Connection Statistics Data Block 5.4.1
- Connection Statistics Data Block 6.0.x
- Connection Statistics Data Block 6.1.x
Understanding Legacy Data Structures
This appendix contains information about data structures supported by eStreamer at previous versions of Firepower System products.
If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.
Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0, devices are assigned IDs. Based on the version, data structures reflect this.
Note
This appendix describes only data structures from version 4.9 or later of the Firepower System. If you require documentation for structures from earlier data structure versions, contact Cisco Customer Support.
Legacy Intrusion Data Structures
- Intrusion Event (IPv4) Record 5.0.x - 5.1
- Intrusion Event (IPv6) Record 5.0.x - 5.1
- Intrusion Event Record 5.2.x
- Intrusion Event Record 5.3
- Intrusion Event Record 5.1.1.x
- Intrusion Event Record 5.3.1
- Intrusion Event Record 5.4.x
- Intrusion Impact Alert Data
Intrusion Event (IPv4) Record 5.0.x - 5.1
The fields in the intrusion event (IPv4) record are shaded in the following graphic. The record type is 207.
You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.
For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
Destination IPv4 address used in the event, in address octets. |
||
The source port number if the event protocol type is TCP or UDP. |
||
The destination port number if the event protocol type is TCP or UDP. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
Intrusion Event (IPv6) Record 5.0.x - 5.1
The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.
You request intrusion event records by setting the intrusion event flag or the extended requests flag in the request message. See Request Flags and Submitting Extended Requests.
For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Contains the identification number of the detecting device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
Destination IPv6 address used in the event, in address octets. |
||
The source port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP type. |
||
The destination port number if the event protocol type is TCP or UDP. If the protocol type is ICMP, this indicates the ICMP code. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.) |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
Intrusion Event Record 5.2.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34 in the series 2 set of data blocks.
You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
| Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Intrusion Event Record 5.3
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 41 in the series 2 set of data blocks.
You can request 5.3 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 6 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.3 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
| Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Intrusion Event Record 5.1.1.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.
You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
| Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Initiates an Intrusion Event data block. This value is always |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
Intrusion Event Record 5.3.1
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 42 in the series 2 set of data blocks.
You can request 5.3.1 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
For version 5.3.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
| Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Initiates an Intrusion Event data block. This value is always 42. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
Intrusion Event Record 5.4.x
The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 45 in the series 2 set of data blocks. It supersedes block type 42, and is superseded by block type 60. Fields for SSL support and Network Analysis Policy have been added.
You can request 5.4.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 8 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
| Destination IP Address, continued |
||||||||||||||||||||||||||||||||
The following table describes each intrusion event record data field.
|
|
|
|
|---|---|---|
Initiates an Intrusion Event data block. This value is always 45. |
||
Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows. |
||
Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the event’s detection. |
||
Microsecond (one millionth of a second) increment of the timestamp of the event’s detection. |
||
Identification number of the Firepower System preprocessor that generated the event. |
||
Identification number of the priority associated with the event. |
||
The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic. |
||
The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
A policy ID number that acts as a unique identifier for the intrusion policy. |
||
The internal identification number for the user, if applicable. |
||
The internal identification number for the web application, if applicable. |
||
The internal identification number for the client application, if applicable. |
||
The internal identification number for the application protocol, if applicable. |
||
A rule ID number that acts as a unique identifier for the access control rule. |
||
A policy ID number that acts as a unique identifier for the access control policy. |
||
An interface ID number that acts as a unique identifier for the ingress interface. |
||
An interface ID number that acts as a unique identifier for the egress interface. |
||
A zone ID number that acts as a unique identifier for the ingress security zone. |
||
A zone ID number that acts as a unique identifier for the egress security zone. |
||
UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event. |
||
Numerical ID of the Snort instance on the managed device that generated the connection event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
The UUID of the Network Analysis Policy that created the intrusion event. |
Intrusion Impact Alert Data
The Intrusion Impact Alert event contains information about impact events. It is transmitted when an intrusion event is compared to the system network map data and the impact is determined. It uses the standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1 data block. For more information about series 1 data blocks, see Understanding Discovery (Series 1) Blocks.)
You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field of the request message. See Event Stream Request Message Format for more information about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles IPv6 events in addition to IPv4.
The following table describes each data field in an impact event.
|
|
|
|
|---|---|---|
Indicates that an intrusion impact alert data block follows. This field will always have a value of |
||
Indicates the length of the intrusion impact alert data block, including all data that follows and 8 bytes for the intrusion impact alert block type and length. |
||
Indicates the second (from 01/01/1970) that the event was detected. |
||
Impact flag value of the event. The low-order eight bits indicate the impact level. Values are:
The following impact level values map to specific priorities on the Defense Center. An |
||
IP address of the host associated with the impact event, in IP address octets. |
||
IP address of the destination IP address associated with the impact event (if applicable), in IP address octets. This value is |
||
Initiates a string data block that contains the impact name. This value is always set to |
||
Number of bytes in the event description string block. This includes the four bytes for the string block type, the four bytes for the string block length, and the number of bytes in the description. |
||
Legacy Malware Event Data Structures
- Malware Event Data Block 5.1
- Malware Event Data Block 5.1.1.x
- Malware Event Data Block 5.2.x
- Malware Event Data Block 5.3
- Malware Event Data Block 5.3.1
- Malware Event Data Block 5.4.x
Malware Event Data Block 5.1
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.1.1.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.2.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
Malware Event Data Block 5.3
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 35 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
|
|---|---|---|
Initiates a malware event data block. This value is always |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the malware awareness network from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from |
||
Malware Event Data Block 5.3.1
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 44 in the series 2 group of blocks. It supersedes block 35. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 5 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
|
|---|---|---|
Initiates a malware event data block. This value is always |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always 0. |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always 0. |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always 0. |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always 0. |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always 0. |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always 0. |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always 0. |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always 0. |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always 0. |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
Malware Event Data Block 5.4.x
The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 47 in the series 2 group of blocks. It supersedes block 44 and is superseded by block. Fields for SSL and file archive support have been added.
You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 6 and an event code of 101.
The following graphic shows the structure of the malware event data block:
The following table describes the fields in the malware event data block.
|
|
|
|
|---|---|---|
Initiates a malware event data block. This value is always 47. |
||
Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows. |
||
The internal unique ID of the AMP for Endpoints agent reporting the malware event. |
||
The internal unique ID of the Cisco Advanced Malware Protection cloud from which the malware event originated. |
||
The internal ID of the action that led to malware detection. |
||
The internal ID of the detection technology that detected the malware. |
||
Initiates a String data block containing the detection name. This value is always |
||
The number of bytes included in the Detection Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Detection Name field. |
||
Initiates a String data block containing the username. This value is always |
||
The number of bytes included in the User String data block, including eight bytes for the block type and header fields plus the number of bytes in the User field. |
||
The user of the computer where the Cisco Agent is installed and where the malware event occurred. Note that these users are not tied to user discovery. |
||
Initiates a String data block containing the file name. This value is always |
||
The number of bytes included in the File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Name field. |
||
Initiates a String data block containing the file path. This value is always |
||
The number of bytes included in the File Path String data block, including eight bytes for the block type and header fields plus the number of bytes in the File Path field. |
||
The file path, not including the file name, of the detected or quarantined file. |
||
Initiates a String data block containing the file SHA hash. This value is always |
||
The number of bytes included in the File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the File SHA Hash field. |
||
The rendered string of the SHA-256 hash value of the detected or quarantined file. |
||
The file type of the detected or quarantined file. The meaning of this field is transmitted in the metadata with this event. See AMP for Endpoints File Type Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) of the creation of the detected or quarantined file. |
||
Initiates a String data block containing the parent file name. This value is always |
||
The number of bytes included in the Parent File Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File Name field. |
||
The name of the file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the parent file SHA hash. This value is always |
||
The number of bytes included in the Parent File SHA Hash String data block, including eight bytes for the block type and header fields plus the number of bytes in the Parent File SHA Hash field. |
||
The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred. |
||
Initiates a String data block containing the event description. This value is always |
||
The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field. |
||
The additional event information associated with the event type. |
||
Snort instance on the device that generated the event. Used to link the event with a connection or IDS event. |
||
Value used to distinguish between connection events that happen during the same second. |
||
Indicates whether the file was uploaded or downloaded. Can have the following values: Currently the value depends on the protocol (for example, if the connection is HTTP it is a download). |
||
ID number that maps to the application using the file transfer. |
||
Identification number for the user logged into the destination host, as identified by the system. |
||
Identification number that acts as a unique identifier for the access control policy that triggered the event. |
||
The malware status of the file. Possible values include:
|
||
Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field. |
||
Initiates a String data block containing the URI. This value is always |
||
The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field. |
||
The internal identification number of the detected web application, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
The action taken on the file based on the file type. Can have the following values: |
||
A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis. |
||
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
||
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
||
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
||
Initiates a String data block containing the Archive SHA. This value is always |
||
The number of bytes included in the Archive SHA String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
SHA1 hash of the parent archive in which the file is contained. |
||
Initiates a String data block containing the Archive Name. This value is always |
||
The number of bytes included in the Archive Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the intrusion policy name. |
||
Number of layers in which the file is nested. For example, if a text file is in a zip archive, this has a value of |
Legacy Discovery Data Structures
- Legacy Discovery Event Header
- Legacy Server Data Blocks
- Legacy Client Application Data Blocks
- Legacy Scan Result Data Blocks
- Legacy Host Profile Data Blocks
- Legacy OS Fingerprint Data Blocks
Legacy Discovery Event Header
Discovery Event Header 5.0 - 5.1.1.x
Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.
The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. Once the structure of the event data block is determined, your program can parse the message appropriately.
The shaded rows in the following diagram illustrate the format of the discovery event header.
| eStreamer Server Timestamp (in events, only if bit 23 is set) |
||||||||||||||||||||||||||||||||
The following table describes the discovery event header.
|
|
|
|
|---|---|---|
ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information. |
||
UNIX timestamp (seconds since 01/01/1970) that the system generated the event. |
||
Microsecond (one millionth of a second) increment that the system generated the event. |
||
Event type ( |
||
Event subtype. See Host Discovery Structures by Event Type for a list of available event subtypes. |
||
Serial file number. This field is for Cisco internal use and can be disregarded. |
||
Event’s position in the serial file. This field is for Cisco internal use and can be disregarded. |
Legacy Server Data Blocks
Attribute Address Data Block for 5.0 - 5.1.1.x
The Attribute Address data block contains an attribute list item and is used within an Attribute Definition data block. It has a block type of 38.
The following diagram shows the basic structure of an Attribute Address data block:
The following table describes the fields of the Attribute Address data block.
Legacy Client Application Data Blocks
User Client Application Data Block for 5.0 - 5.1
The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.
The following diagram shows the basic structure of a User Client Application data block:
The following table describes the fields of the User Client Application data block.
|
|
|
|
|---|---|---|
Initiates a User Client Application data block. This value is always. |
||
Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See User Server Data Block Fields for a description of this data block. |
||
The internal identification number for the application protocol, if applicable. |
||
The internal identification number of the detected client application, if applicable. |
||
Initiates a String data block that contains the client application version. This value is always |
||
Number of bytes in the client application version String data block, including the string block type and length fields, plus the number of bytes in the version. |
||
Legacy Scan Result Data Blocks
Scan Result Data Block 5.0 - 5.1.1.x
The Scan Result data block describes a vulnerability and is used within Add Scan Result events (event type 1002, subtype 11). The Scan Result data block has a block type of 102.
The following diagram shows the format of a Scan Result data block:
The following table describes the fields of the Scan Result data block.
|
|
|
|
|---|---|---|
Initiates a Scan Result data block. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes of scan vulnerability data that follows. |
||
Contains the user identification number for the user who imported the scan result or ran the scan that produced the scan result. |
||
IP address of the host affected by the vulnerabilities in the result, in IP address octets. |
||
Port used by the sub-server affected by the vulnerabilities in the results. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always |
||
Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows. |
||
Initiates a List data block comprising Scan Vulnerability data blocks conveying transport Scan Vulnerability data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks. This field is followed by zero or more Scan Vulnerability data blocks. |
||
Initiates a Generic Scan Results data block describing server and operating system data detected during a scan. This value is always 108. |
||
Number of bytes in the Generic Scan Results data block, including eight bytes for the generic scan results block type and length fields, plus the number of bytes in the scan result data that follows. |
||
Initiates a Generic List data block comprising User Product data blocks conveying host input data from a third party application. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated User Product data blocks. |
||
User Product data blocks containing host input data. See User Product Data Block 5.1+ for a description of this data block. |
User Product Data Block for 5.0.x
The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Connection Statistics Data Block 6.0.x and User Server and Operating System Messages. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.
Note An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.
The following diagram shows the format of the User Product data block:
The following table describes the components of the User Product data block.
|
|
|
|
|---|---|---|
Initiates a User Product data block. This value is |
||
Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows. |
||
Initiates a Generic List data block comprising IP Range Specification data blocks conveying IP address range data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks. |
||
IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block. |
||
Indicates whether the user OS definition was deleted from the host: |
||
Initiates a String data block containing the custom vendor name specified in the user input. This value is always |
||
Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name. |
||
Initiates a String data block containing the custom product name specified in the user input. This value is always |
||
Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name. |
||
Initiates a String data block containing the custom version specified in the user input. This value is always |
||
Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
The identifier for a specific revision of a server or operating system in the Cisco database. |
||
The Cisco application identifier for the application protocol on the host server specified in user input. |
||
The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Cisco 3D operating system definition. |
||
The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Cisco 3D operating system definition. |
||
Initiates a String data block containing the major version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. |
||
Initiates a String data block containing the minor version number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Minor version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the revision number of the Cisco operating system definition that a third party operating system string in the user input is mapped to. This value is always |
||
Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Revision number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the last major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of major version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the last minor version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version. |
||
Last version number in a range of minor version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the Last revision number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always |
||
Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number. |
||
Last revision number in a range of revision numbers of the Cisco 3D operating system definitions that a third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the build number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always |
||
Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number. |
||
Build number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the patch number of the Cisco 3D operating system that the third party operating system string is mapped to. This value is always |
||
Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number. |
||
Patch number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Initiates a String data block containing the extension number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always |
||
Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number. |
||
Extension number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to. |
||
Contains the unique identification number for the operating system. |
||
Initiates a Generic List data block comprising Fix List data blocks conveying user input data regarding what fixes have been applied to hosts in the specified IP address ranges. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Fix List data blocks. |
||
Fix List data blocks containing information about fixes applied to the hosts. See Fix List Data Block for a description of this data block. |
Legacy User Login Data Blocks
User Login Information Data Block for 5.0 - 5.0.2
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
User Login Information Data Block 5.1-5.4.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1-5.4.x.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
|
|---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
The application ID for the application protocol used in the connection that the login information was derived from. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.0.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Account Update Message Data Block.
he User Login Information data block has a block type of 159 for version 6.0.x. It has new ISE integration endpoint profile, Security Intelligence fields.
The User Login Information data block has a block type of 73 for version 4.7 - 4.10.x, a block type of 121 in the series 1 group of blocks for version 5.0 - 5.0.2, and a block type of 127 in the series 1 group of blocks for version 5.1+. See User Login Information Data Block 5.1-5.4.x for more information.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
|
|---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.1.x
The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1+. It has new port and tunneling fields. It supersedes block type 159. See User Login Information Data Block 6.0.x for more information. It is superseded by block type 167.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
|
|---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
The start port in the range the TS Agent assigned to the individual user. |
||
The end port in the range the TS Agent assigned to the individual user. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Login Information Data Block 6.1.x
The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.
The User Login Information data block has a block type of 165 in the series 1 group of blocks for version 6.1x. It has new port and tunneling fields. It supersedes block type 159. It is superseded by block type 167. See User Login Information Data Block 6.0.x for more information.
The graphic below shows the format of the User Login Information data block:
The following table describes the components of the User Login Information data block.
|
|
|
|
|---|---|---|
Initiates a User Login Information data block. This value is |
||
Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows. |
||
This field is reserved but no longer populated. The IPv4 address is stored in the IPv6 Address field. See IP Addresses for more information. |
||
Initiates a String data block containing the username for the user. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username. |
||
Initiates a String data block containing the domain. This value is always |
||
Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the domain. |
||
ID number of the type of device used by the connection endpoint. This is unique for each DC and resolved in metadata. |
||
Protocol used to detect or report the user. Possible values are: |
||
The start port in the range the TS Agent assigned to the individual user. |
||
The end port in the range the TS Agent assigned to the individual user. |
||
Initiates a String data block containing the email address for the user. This value is always |
||
Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address. |
||
IPv6 address from the host where the user was detected logging in, in IP address octets. |
||
Most recent IP address on which the user logged in. Can be either an IPv4 or IPv6 address. |
||
Initiates a String data block containing the Reported By value. This value is always |
||
Number of bytes in the Reported By String data block, including eight bytes for the block type and length fields, plus the number of bytes in the Reported By field. |
||
User Information Data Block for 5.x
The User Information data block is used in User Modification messages and conveys information for a user detected, removed, or dropped. For more information, see User Modification Messages
The User Information data block has a block type of 75 in the series 1 group of blocks for version 4.7 - 4.10.x and a block type of 120 in the series 1 group of blocks for 5.x. The structures are the same for block types 75 and 120.
The following diagram shows the format of the User Information data block:
The following table describes the components of the User Information data block.
Legacy Host Profile Data Blocks
Host Profile Data Block for 5.0 - 5.0.2
The following diagram shows the format of a Host Profile data block in versions 5.0 to 5.0.2. The Host Profile data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a Host Profile data block can convey a NetBIOS name for the host. This Host Profile data block has a block type of 91.
Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.
The following table describes the fields of the host profile data block returned by version 4.9 to version 5.0.2.
|
|
|
|
|---|---|---|
Initiates the Host Profile data block for 4.9 to 5.0.2. This data block has a block type of |
||
Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows. |
||
IP address of the host described in the profile, in IP address octets. |
||
Indicates whether the host is in the primary or secondary network of the device that detected it: |
||
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a server fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Server Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a server fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a client fingerprint. This value is always 31. |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (Client Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a client fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using an SMB fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (SMB Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using an SMB fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a Generic List data block comprising Operating System Fingerprint data blocks conveying fingerprint data identified using a DHCP fingerprint. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated Operating System Fingerprint data blocks. |
||
Operating System Fingerprint (DHCP Fingerprint) Data Blocks * |
Operating System Fingerprint data blocks containing information about the operating system on a host identified using a DHCP fingerprint. See Operating System Fingerprint Data Block for 5.0 - 5.0.2 for a description of this data block. |
|
Initiates a List data block comprising Server data blocks conveying TCP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of TCP server data that follows. |
||
Data fields describing a TCP server (as documented for earlier versions of the product). |
||
Initiates a List data block comprising Server data blocks conveying UDP server data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Server data blocks. |
||
Initiates a Server data block describing a UDP server. This value is always |
||
Number of bytes in the Server data block, including eight bytes for the server block type and length fields, plus the number of bytes of UDP server data that follows. |
||
Data fields describing a UDP server (as documented for earlier versions of the product). |
||
Initiates a List data block comprising Protocol data blocks conveying network protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more Protocol data blocks. |
||
Initiates a Protocol data block describing a network protocol. This value is always |
||
Number of bytes in the Protocol data block, including eight bytes for the protocol block type and length fields, plus the number of bytes in the protocol data that follows. |
||
Data field containing a network protocol number, as documented in Protocol Data Block. |
||
Initiates a List data block comprising Protocol data blocks conveying transport protocol data. This value is always |
||
Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Protocol data blocks. This field is followed by zero or more transport protocol data blocks. |
||
Initiates a Protocol data block describing a transport protocol. This value is always |
||
Number of bytes in the protocol data block, including eight bytes for the protocol block type and length, plus the number of bytes in the protocol data that follows. |
||
Data field containing a transport protocol number, as documented in Protocol Data Block. |
||
Initiates a List data block comprising MAC Address data blocks. This value is always |
||
Number of bytes in the list, including the list header and all encapsulated MAC Address data blocks. |
||
Initiates a Host MAC Address data block. This value is always |
||
Number of bytes in the Host MAC Address data block, including eight bytes for the Host MAC address block type and length fields, plus the number of bytes in the Host MAC address data that follows. |
||
Host MAC address data fields described in Host MAC Address 4.9+. |
||
UNIX timestamp that represents the last time the system detected host activity. |
||
VLAN identification number that indicates which VLAN the host is a member of. |
||
Initiates a Generic List data block comprising Client Application data blocks conveying client application data. This value is always |
||
Number of bytes in the Generic List data block, including the list header and all encapsulated client application data blocks. |
||
Initiates a client application block. This value is always |
||
Number of bytes in the client application block, including eight bytes for the client application block type and length fields, plus the number of bytes in the client application data that follows. |
||
Client application data fields describing a client application, as documented in Host Client Application Data Block for 5.0+. |
||
Initiates a string data block for the NetBIOS name. This value is set to |
||
Indicates the number of bytes in the NetBIOS name data block, including eight bytes for the string block type and length, plus the number of bytes in the NetBIOS name. |
||
Contains the NetBIOS name of the host described in the host profile. |
Legacy OS Fingerprint Data Blocks
Operating System Fingerprint Data Block for 5.0 - 5.0.2
The Operating System Fingerprint data block has a block type of 87. The block includes a fingerprint Universally Unique Identifier (UUID), as well as the fingerprint type, the fingerprint source type, and the fingerprint source ID. The following diagram shows the format of an Operating System Fingerprint data block for version 5.0 to version 5.0.2.
The following table describes the fields of the operating system fingerprint data block.
Legacy Connection Data Structures
For more information, see the following sections:
- Connection Statistics Data Block 5.0 - 5.0.2
- Connection Statistics Data Block 5.1
- Connection Statistics Data Block 5.2.x
- Connection Chunk Data Block for 5.0 - 5.1
- Connection Chunk Data Block for 5.1.1-6.0.x
- Connection Statistics Data Block 5.1.1.x
- Connection Statistics Data Block 5.3
- Connection Statistics Data Block 5.3.1
- Connection Statistics Data Block 5.4
- Connection Statistics Data Block 5.4.1
- Connection Statistics Data Block 6.0.x
- Connection Statistics Data Block 6.1.x
Connection Statistics Data Block 5.0 - 5.0.2
The Connection Statistics data block is used in Connection Data messages. The Connection Statistics data block for version 5.0 - 5.0.2 has a block type of 115.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.0 - 5.0.2:
The following table describes the fields of the Connection Statistics data block for 5.0 - 5.0.2.
Connection Statistics Data Block 5.1
The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 5.0.2 and 5.1 include the addition of new fields with configuration parameters introduced in 5.1 (rule action reason, monitor rules, Security Intelligence source/destination, Security Intelligence layer). The Connection Statistics data block for version 5.1 has a block type of 126.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.1:
The following table describes the fields of the Connection Statistics data block for 5.1.
Connection Statistics Data Block 5.2.x
The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1.1 and 5.2 include the addition of new fields to support geolocation. The connection statistics data block for version 5.2.x has a block type of 144 in the series 1 group of blocks. It deprecates block type 137, Connection Statistics Data Block 5.1.1.x.
For more information on the Connection Statistics Data message, see Connection Statistics Data Message.
The following diagram shows the format of a Connection Statistics data block for 5.2.x: