Firepower System Event Streamer Integration Guide, Version 6.0

Introduction

---

The Cisco Event Streamer (also known as eStreamer) allows you to stream Firepower System events to external client applications. You can stream host, discovery, correlation, compliance white list, intrusion, user activity, file, malware, and connection data from a Management Center and you can stream intrusion data from 7000 and 8000 series devices.

Note that eStreamer is not supported on NGIPSv, Firepower Services, Firepower Threat Defense Virtual, and Firepower Threat Defense. To stream events from these devices, you can configure eStreamer on the Management Center that the device reports to.

eStreamer uses a custom application layer protocol to communicate with connected client applications. As the purpose of eStreamer is simply to return data that the client requests, the majority of this guide describes the eStreamer formats for the requested data.

There are three major steps to creating and integrating an eStreamer client with a Firepower System:

1. Write a client application that exchanges messages with the Management Center or managed device using the eStreamer application protocol. The eStreamer SDK includes a reference client application.

2. Configure a Management Center or device to send the required type of events to your client application.

3. Connect your client application to the Management Center or device and begin exchanging data.

This guide provides the information you need to successfully create and run an eStreamer Version 6.0 client application.

Major Changes in eStreamer Version 6.0

If you are upgrading your Firepower System deployment to Version 6.0, please note the following changes, some of which may require you to update your eStreamer client:

• New request message Domain Streaming Request Message Format allows clients to request events by domain.
• Added the following blocks:

– Added Name Description Mapping Data Block to map ID numbers to names and descriptions.

– Added SSL Rule ID to provide information about SSL rules.

– Added User Record to provide information on user names and detection.

– Added Endpoint Profile Data Block for 6.0+ to provide information about connection endpoints.

– Added Access Control Policy Name Data Block to provide information about access control policy names.

• Added the following metadata records:

– Realm Metadata for 6.0+

– Security Group Metadata for 6.0+

– Sinkhole Metadata for 6.0+

– Netmap Domain Metadata for 6.0+

– Filelog Storage Metadata for 6.0+

– Filelog Sandbox Metadata for 6.0+

– Filelog Spero Metadata for 6.0+

– Filelog Archive Metadata for 6.0+

– Filelog Static Analysis Metadata for 6.0+

– File Policy Name for 6.0+

• Replaced the following blocks:

– Replaced Malware Event Data Block 5.4.x with Malware Event Data Block 6.0+ to add an HTTP Response field.

– Replaced User Information Data Block for 5.x with User Information Data Block for 6.0+ to add endpoint profile, Security Intelligence, and IPv6 fields.

– Replaced User Login Information Data Block 5.1-5.4.x with User Login Information Data Block 6.0+ to add endpoint profile and Security Intelligence fields.

– Replaced File Event for 5.4.x with File Event for 6.0+ to add fields for file analysis, local malware analysis, and capacity handling statuses.

– Replaced Connection Statistics Data Block 5.4.1 with Connection Statistics Data Block 6.0+ to add HTTP response, DNS, sinkhole, and Security Intelligence fields.

– Replaced Access Control Policy Rule Reason Data Block with Access Control Policy Rule Reason Data Block for 6.0+ to increase the Reason field from 16 bits to 32.

– Replaced Intrusion Event Record 5.4.x with Intrusion Event Record 6.0+ to add an HTTP Response field.

Using this Guide

At the highest level, the eStreamer service is a mechanism for streaming data from the Firepower System to a requesting client. The service can stream the following categories of data:

• Intrusion event data and event extra data
• Correlation (compliance) event data
• Discovery event data
• User event data
• Metadata for events
• Host information
• Malware event data

Descriptions of the data structures returned by eStreamer make up the majority of this book. The chapters in the book are:

• Understanding the eStreamer Application Protocol, which provides an overview of eStreamer communications, details some of the requirements for writing eStreamer client applications, and describes the four types of messages used to send commands to and receive data from the eStreamer service.
• Understanding Intrusion and Correlation Data Structures, which documents the data formats used to return event data generated by the intrusion detection and correlation components and the data formats used to represent the intrusion and correlation events.
• Understanding Discovery & Connection Data Structures, which documents the data formats used to return discovery, user, and connection event data.
• Understanding Host Data Structures, which documents the data formats that eStreamer uses to return full host information data when it receives a host information request message.
• Configuring eStreamer, which documents how to configure the eStreamer on a Management Center or managed device. The chapter also documents the eStreamer command-line switches and provides instructions for manually starting and stopping the eStreamer service and for configuring the Management Center or managed device to start eStreamer automatically.
• Data Structure Examples, which provides examples of eStreamer message packets in binary format.
• Understanding Legacy Data Structures, which documents the structure of legacy data structures that are no longer in use by the currently shipping product but may be used by older clients.

Prerequisites

To understand the information in this guide, you should be familiar with the features and nomenclature of the Firepower System and the function of its components in general, and with the different types of event data these components generate in particular. Definitions of unfamiliar or product-specific terms can frequently be obtained from the Firepower eStreamer Integration Guide.

Product Versions for Firepower System Releases

Version numbers are used throughout this guide to describe the data format for events generated by the Management Center and managed devices. The Firepower System Product Versions table lists versions for each product by major release.

Document Conventions

The eStreamer Message Data Type Conventions table lists the names used in this book to describe the various data field formats employed in eStreamer messages. Numeric constants used by the eStreamer service are typically unsigned integer values. Bit fields use low-order bits unless otherwise noted. For example, in a one-byte field containing five bits of flag data, the low-order five bits will contain the data.