Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
9-7
FireSIGHT System Database Access Guide
Chapter 9 Schema: Correlation Tables
white_list_event
remediation_status Joins
You cannot perform joins on the
remediation_status
table.
remediation_status Sample Query
The following query returns up to 25 records generated before a given date. These records include
remediation status information such as the remediation timestamp, the status message, and so on.
remediation status information such as the remediation timestamp, the status message, and so on.
SELECT policy_time_sec, remediation_time_sec, remediation_name, policy_name,
policy_rule_name, status_text
FROM remediation_status WHERE remediation_time_sec <= UNIX_TIMESTAMP("2011-10-01
00:00:00")
ORDER BY policy_time_sec
DESC LIMIT 0, 25;
white_list_event
The
white_list_event
table contains white list events that are generated when the system detects a host
not compliant with a white list in an active white list compliance policy.
Note that starting in Version 5.0, the FireSIGHT System records the detection of network and user
activity at the managed device level, no longer by detection engine. The
activity at the managed device level, no longer by detection engine. The
detection_engine_name
and
detection_engine_uuid
fields in the
white_list_event
table now return only
null
, and queries that join
on those fields return zero records. Querying on the
sensor_uuid
field instead of
detection_engine_uuid
provides the equivalent information.
For more information, see the following sections:
•
•
•
remediation_time_sec
The UNIX timestamp of the date and time the Defense Center launched the remediation.
status_text
A message that describes what happened when the remediation was launched, such as
“
“
successful completion of remediation
.”
Table 9-4
remediation_status Fields (continued)
Field
Description