Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
9-10
FireSIGHT System Database Access Guide
Chapter 9 Schema: Correlation Tables
white_list_violation
white_list_violation Fields
The following table describes the database fields you can access in the
white_list_violation
table.
white_list_violation Joins
You cannot perform joins on the
white_list_violation
table.
white_list_violation Sample Query
The following query returns up to 25 records with white list violation information such as the host IP
address violating the white list, the violated white list name, and the count of violations.
address violating the white list, the violated white list name, and the count of violations.
SELECT host_id, white_list_name, count(*)
FROM white_list_violation
GROUP BY white_list_name, host_id
ORDER BY white_list_name
DESC LIMIT 0, 25;
Table 9-7
white_list_violation Fields
Field
Description
host_id
ID number of the host in violation of the white list.
info
Any available vendor, product, or version information associated with the white list violation.
For protocols that violate a white list, the field also indicates whether the violation is due to a
network or transport protocol.
network or transport protocol.
ip_address
Field deprecated in Version 5.2. Returns
null
for all queries.
port
The port, if any, associated with the event that triggered a service white list violation (that is,
when a violation occurs as a result of a non-compliant service). For other types of white list
violations, the field is blank.
when a violation occurs as a result of a non-compliant service). For other types of white list
violations, the field is blank.
protocol_name
The protocol associated with the event.
type
The type of white list violation, indicating whether the violation occurred due to a
non-compliant:
non-compliant:
•
operating system (
os
)
•
service (
service
)
•
client application (
client app
)
•
protocol (
protocol
)
violation_time_sec
The UNIX timestamp of the date and time the violation was logged.
white_list_name
The white list that was violated.
white_list_uuid
A unique identifier for the white list.