Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

The following query returns the 25 most common unreviewed intrusion event results, sorted in 
descending order based on 

Count

. 

SELECT rule_message, priority, rule_classification, count(*) as Count 

FROM intrusion_event 

WHERE reviewed="0" 

GROUP BY rule_message, priority, rule_classification 

ORDER BY Count DESCLIMIT 0, 25;

The 

 table contains information on content of the packet or packets that 

triggered an intrusion event. Keep in mind if you prohibited packet transfer from your managed devices 
to the Defense Center, the 

 table contains no data.

For more information, see the following sections:

The following table describes the database fields you can access in the 

 table.

detection_engine_name

Field deprecated in Version 5.0. Returns 

null

 for all queries.

detection_engine_uuid

Field deprecated in Version 5.0. Returns 

null

 for all queries.

event_id

The identification number for the event. The ID is unique on a given managed device.

linktype

An internal key that indicates the format of the packet’s outer layer; used by the managed 
device to correctly decode the packet. Only link type 

1

 is supported.

packet_data

The contents of the packet that triggered the event.

packet_time_sec

The UNIX timestamp of the date and time the event packet was captured.

packet_time_usec

The microsecond increment of the event timestamp. If microsecond resolution is not 
available, this value is 

0

.

sensor_address

The IP address of the managed device that generated the event. Format is 

.

sensor_name

The name of the managed device that generated the intrusion event.

sensor_uuid

A unique identifier for the managed device, or 

0

 if 

sensor_name

 is 

null

.