Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

7-11

FireSIGHT System Database Access Guide

Chapter 7 Schema: Connection Log Tables

connection_summary

connection_summary Joins

The following table describes the joins you can perform using the

connection_summary

table.

connection_summary Sample Query

The following query returns up to five connection event summary records detected by the selected
device.

SELECT initiator_ipaddr, responder_ipaddr, protocol_name, application_protocol_id,

source_device, sensor_name, sensor_address, packets_recv, packets_sent, bytes_recv,

bytes_sent, connection_type, num_connections

FROM connection_summary

WHERE sensor_name='linden' limit 5;

sensor_address

The IP address of the managed device that generated the event. Format is

ipv4_address,ipv6_address

sensor_name

The name of the managed device that monitored the aggregated sessions.

sensor_uuid

A unique identifier for the managed device, or

sensor_name

null

source_device

The identification of the source device, which is either:

•

the IP address of the NetFlow-enabled device that exported the data for
the connection

•

FireSIGHT

if the connection was detected by a Cisco managed device

start_time_sec

The UNIX timestamp of the date and time the five-minute interval used to
aggregate the sessions in the summary started.

Table 7-4

connection_summary Fields (continued)

Field

Description

Table 7-5

connection_summary Joins

You can join this table on...

And...

application_protocol_id

application_info.application_id

application_host_map.application_id

application_tag_map.application_id

rna_host_service_info.application_protocol_id

rna_host_client_app_payload.web_application_id

rna_host_client_app_payload.client_application_id

rna_host_client_app.client_application_id

rna_host_client_app.application_protocol_id

rna_host_service_payload.web_application_id

initiator_ipaddr

responder_ipaddr

rna_host_ip_map.ipaddr

user_ipaddr_history.ipaddr