AMP events in eStreamer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2017 12:06 PM - edited 02-20-2020 09:03 PM
Hello,
We use AMP integrated with Firepower and send events to our SIEM via eStreamer. We have been seeing events with a "file_action" of 0. Our documentation does not identify what this type of event might be.
The most current documentation I could find on eStreamer has action codes for 1 through 11:
Is there a current list of action codes and other codes to ensure we are mapping data correctly in our SIEM?
Thanks!
For reference, here is an example event as it is sent to the SIEM currently:
rec_type=125 rec_type_simple="MALWARE EVENT" event_sec=1489008637 agent_uuid=[UUID] cloud="US Cloud" type=1090519054 subtype=Create detector=SHA detection=DOC.53E3C1C847.MalMacro.tht.Talos agent_user=[USERNAME@DOMAIN] file_name=Cas217[1].dot file_path=\\[FILEPATH] sha256=53e3c1c84709e60fee3029e4f04d1db5a6a4edf6085370395ee8110c01d5c988 file_size=87552 file_type=MSSZDD file_ts=1489008637 parent_fname=iexplore.exe parent_sha256=db97d7ac8aabf36f5dce228fa5982902e1ff625ed8692118997d236a703aaeb6 event_description="" sensor=0 instance_id=0 connection_id=15388 connection_sec=1489008639 direction=0 src_ip=[IP] dest_ip=:: app_proto=0 agent_user=0 file_policy=00000000-0000-0000-0000-000000000000 disposition=0 retro_disposition=0 uri="" src_port=0 dest_port=0 src_ip_country=0 dest_ip_country=0 web_app=0 client_app=0 file_action=0 ip_proto=0 threat_score=0 num_ioc=0
- Labels:
-
AMP for Endpoints

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2017 01:11 PM
Please see the link below, It should probably answer your question:-
www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2017 07:45 AM
Thanks. That's the same document I linked in my original post -- I had checked the documentation first before asking here and found nothing in the document for action code 0.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2017 04:42 AM
Have you upgraded AMP to the latest version.
