estreamer-events
Retrieve Firepower events in real time using the eStreamer protocol.
Syntax
estreamer-events [profile=PROFILE] window=WINDOW [bookmark=BOOKMARK] [raw=RAW]
Options
- profile=PROFILE
- Optional. Connect profile identifier
- window=WINDOW
- Required. e.g. 10m (to receive events for 10 minutes after executing the query)
- bookmark=BOOKMARK
- Optional. Date in the format yyyyMMddHHmmss. If not specified, only events that occur after the query execution will be retrieved.
- raw=RAW
- Optional. t or f. Specify 't' to output line field.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| event_time | Date | Event Time | |
| risk | String | Risk | e.g. LOW, MEDIUM, HIGH |
| session_id | Long | Session ID | |
| event_type | String | Event Type | |
| src_ip | IP address | Source IP | |
| src_port | Integer | Source Port | |
| dst_ip | IP address | Destination IP | |
| dst_port | Integer | Destination Port | |
| protocol | String | Protocol | e.g. TCP, UDP |
| policy | String | Policy | |
| action | String | Action | |
| raw_action | String | Original Action | |
| app | String | Application | |
| client | String | Client | |
| sent_bytes | Long | Sent Bytes | |
| rcvd_bytes | Long | Received Bytes | |
| sent_pkts | Long | Sent Packets | |
| rcvd_pkts | Long | Received Packets | |
| prefilter_policy | String | Prefilter Policy | e.g. Default Prefilter Policy |
| firewall_policy | String | Firewall Policy | |
| firewall_rule | String | Firewall Rule | |
| nap_policy | String | NAP Policy | e.g. Balanced Security and Connectivity |
| dns_record_type | String | DNS Record Type | e.g. a host address, text strings |
| dns_query | String | DNS Query | e.g. 0.sourcefire.pool.ntp.org |
| dns_response_type | String | DNS Response Type | e.g. No Error, Non-Existent Domain |
| device_uuid | String | Device UUID | |
| src_iface | String | Source Interface | |
| first_packet_second | Long | First Packet Second | |
| instance_id | Long | Instance ID | |
| client_app_detector | String | Client App Detector | |
| end_time | Date | End Time | |
| duration | Long | Duration | |
| dns_ttl | Long | DNS TTL | |
| webapp | String | Web Application | e.g. Cisco |
| url | String | URL | e.g. https://example.com |
| user_agent | String | User Agent | |
| referenced_host | String | Referenced Host | |
| event_second | Long | Event Second | |
| file_direction | String | File Direction | e.g. Upload, Download |
| file_action | String | File Action | e.g. Detect |
| file_type | String | File Type | e.g. MSEXE |
| file_policy | String | File Policy | e.g. AMP-Policy |
| file_sandbox_status | String | File Sandbox Status | e.g. File Size Is Too Small |
| ac_rule_reason | String | Access Control Reason | |
| file_count | Long | File Count | |
| intrusion_count | Long | Intrusion Count | |
| event_microsecond | Long | Event Microsecond | |
| priority_id | Long | Priority ID | e.g. 1: HIGH |
| generator_id | Long | Generator ID | |
| sid | Long | Signature ID | |
| signature_rev | Long | Signature Revision | |
| impact | Long | Impact | |
| signature | String | Signature | |
| category | String | Classification | |
| intrusion_policy | String | Intrusion Policy | |
| inline_result | String | Inline Result | |
| http_host | String | HTTP Hostname | |
| http_uri | String | HTTP URI | e.g. /inform |
| event_id | Long | Event ID | |
| packet_second | Long | Packet Second | |
| packet_microsecond | Long | Packet Microsecond | |
| packet_length | Long | Packet Length | |
| packet_link_type_id | Long | Packet Link Type ID | |
| payload | BLOB | Payload | |
| line | String | Event raw |