Hello,

We use AMP integrated with Firepower and send events to our SIEM via eStreamer.  We have been seeing events with a "file_action" of 0.  Our documentation does not identify what this type of event might be.  

The most current documentation I could find on eStreamer has action codes for 1 through 11:

http://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/IS-DCRecords.html#pgfId-2870131

Is there a current list of action codes and other codes to ensure we are mapping data correctly in our SIEM?

Thanks!

For reference, here is an example event as it is sent to the SIEM currently:

rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1489008637 agent_uuid=[UUID] cloud="US Cloud" type=1090519054 subtype=Create detector=SHA detection=DOC.53E3C1C847.MalMacro.tht.Talos agent_user=[USERNAME@DOMAIN] file_name=Cas217[1].dot file_path=\\[FILEPATH] sha256=53e3c1c84709e60fee3029e4f04d1db5a6a4edf6085370395ee8110c01d5c988 file_size=87552 file_type=MSSZDD file_ts=1489008637 parent_fname=iexplore.exe parent_sha256=db97d7ac8aabf36f5dce228fa5982902e1ff625ed8692118997d236a703aaeb6 event_description="" sensor=0 instance_id=0 connection_id=15388 connection_sec=1489008639 direction=0 src_ip=[IP] dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0