Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
4-7
FireSIGHT System Database Access Guide
Chapter 4 Schema: Intrusion Tables
intrusion_event_packet
intrusion_event Sample Query
The following query returns the 25 most common unreviewed intrusion event results, sorted in
descending order based on
descending order based on
Count
.
SELECT rule_message, priority, rule_classification, count(*) as Count
FROM intrusion_event
WHERE reviewed="0"
GROUP BY rule_message, priority, rule_classification
ORDER BY Count DESCLIMIT 0, 25;
intrusion_event_packet
The
intrusion_event_packet
table contains information on content of the packet or packets that
triggered an intrusion event. Keep in mind if you prohibited packet transfer from your managed devices
to the Defense Center, the
to the Defense Center, the
intrusion_event_packet
table contains no data.
For more information, see the following sections:
•
•
•
intrusion_event_packet Fields
The following table describes the database fields you can access in the
intrusion_event_packet
table.
Table 4-4
intrusion_event_packet Fields
Field
Description
detection_engine_name
Field deprecated in Version 5.0. Returns
null
for all queries.
detection_engine_uuid
Field deprecated in Version 5.0. Returns
null
for all queries.
event_id
The identification number for the event. The ID is unique on a given managed device.
linktype
An internal key that indicates the format of the packet’s outer layer; used by the managed
device to correctly decode the packet. Only link type
device to correctly decode the packet. Only link type
1
is supported.
packet_data
The contents of the packet that triggered the event.
packet_time_sec
The UNIX timestamp of the date and time the event packet was captured.
packet_time_usec
The microsecond increment of the event timestamp. If microsecond resolution is not
available, this value is
available, this value is
0
.
sensor_address
The IP address of the managed device that generated the event. Format is
ipv4_address,ipv6_address
.
sensor_name
The name of the managed device that generated the intrusion event.
sensor_uuid
A unique identifier for the managed device, or
0
if
sensor_name
is
null
.