Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3014
Views
0
Helpful
3
Replies

AMP events in eStreamer

khendrick512
Level 1
Level 1

‎03-10-2017 12:06 PM - edited ‎02-20-2020 09:03 PM

Hello,

We use AMP integrated with Firepower and send events to our SIEM via eStreamer.  We have been seeing events with a "file_action" of 0.  Our documentation does not identify what this type of event might be.  

The most current documentation I could find on eStreamer has action codes for 1 through 11:

http://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/IS-DCRecords.html#pgfId-2870131

Is there a current list of action codes and other codes to ensure we are mapping data correctly in our SIEM?

Thanks!

For reference, here is an example event as it is sent to the SIEM currently:

rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1489008637 agent_uuid=[UUID] cloud="US Cloud" type=1090519054 subtype=Create detector=SHA detection=DOC.53E3C1C847.MalMacro.tht.Talos agent_user=[USERNAME@DOMAIN] file_name=Cas217[1].dot file_path=\\[FILEPATH] sha256=53e3c1c84709e60fee3029e4f04d1db5a6a4edf6085370395ee8110c01d5c988 file_size=87552 file_type=MSSZDD file_ts=1489008637 parent_fname=iexplore.exe parent_sha256=db97d7ac8aabf36f5dce228fa5982902e1ff625ed8692118997d236a703aaeb6 event_description="" sensor=0 instance_id=0 connection_id=15388 connection_sec=1489008639 direction=0 src_ip=[IP] dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Farhan Mohamed
Cisco Employee
Cisco Employee

‎04-17-2017 01:11 PM

Please see the link below, It should probably answer your question:-

www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide.pdf

0 Helpful

khendrick512
Level 1
Level 1
In response to Farhan Mohamed

‎04-18-2017 07:45 AM

Thanks.  That's the same document I linked in my original post -- I had checked the documentation first before asking here and found nothing in the document for action code 0.

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee
In response to khendrick512

‎06-01-2017 04:42 AM

Have you upgraded AMP to the latest version.

0 Helpful
Customers Also Viewed These Support Documents