Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

2-16

FireSIGHT System Database Access Guide

Chapter 2 Setting Up Database Access

Sample Queries

Intrusion Events

To uniquely match an intrusion event across multiple managed devices, include the following fields
in your query of the

intrusion_event

table:

–

intrusion_event.event_id

–

intrusion_event.event_time_sec

–

intrusion_event.sensor_uuid

Sample Queries

The following sections contain sample queries that illustrate how you can use the database access
feature:

•

Audit Records for a User, page 2-16

•

Intrusion Events by Priority and Classification, page 2-16

•

Intrusion Events and Their Associated Policies, page 2-17

•

Lists of Detected Hosts, page 2-17

•

List of Detected Servers, page 2-17

•

Server Vulnerabilities on Your Network, page 2-17

•

Operating System Summary, page 2-18

•

Operating System Vulnerabilities for a Host, page 2-18

•

Host Violation Count, page 2-18

Caution

Performing some of these sample queries may be expensive, depending on your deployment. See

Limiting Queries for Performance Reasons, page 2-15

for more information.

Audit Records for a User

The following query returns all records in the audit log for a particular user, displaying all timestamps
in UTC:

SELECT FROM_UNIXTIME(action_time_sec), user, message

FROM audit_log

WHERE user = 'eventanalyst';

Intrusion Events by Priority and Classification

The following query duplicates the Drilldown of Event, Priority, and Classification view in the Events
By Priority and Classification workflow. If you have not changed the default Intrusion Events workflow
in your user preferences, this is the first page you see when you select

Analysis > Intrusion Events

on the

Defense Center web interface:

SELECT rule_message, priority, rule_classification, count(*) as Count

FROM intrusion_event

WHERE reviewed="0" GROUP BY rule_message, priority, rule_classification

ORDER BY Count