Cisco Cisco Firepower Management Center 4000 Developer's Guide
8-3
FireSIGHT System Database Access Guide
Chapter 8 Schema: User Activity Tables
user_discovery_event
user_discovery_event
The
user_discovery_event
table contains a record for each user discovery event.
Note that starting in Version 5.0, the FireSIGHT System records the detection of user activity at the
managed device level, no longer by detection engine. The
managed device level, no longer by detection engine. The
detection_engine_name
and
detection_engine_uuid
fields in this table have been replaced by the
sensor_name
and
sensor_uuid
fields respectively. Queries on these fields will return information about the managed device that
generated the user discovery event.
generated the user discovery event.
For more information, see the following sections:
•
•
•
user_discovery_event Fields
The following table describes the fields you can access in the
user_discovery_event
table.
Table 8-4
user_discovery_event Fields
Field
Description
application_protocol_id
An internal identifier for the detected application protocol.
application_protocol_name
One of:
•
the name of the application used in the connection: LDAP, POP3, and so on
•
pending
if the system cannot identify the application for one of several reasons
•
blank if there is no application information in the connection
description
The user name when the discovery event type is either Delete User Identity, or User
Identity Dropped. Otherwise, blank.
Identity Dropped. Otherwise, blank.
event_id
An internal identification number for the discovery event.
event_time_sec
The UNIX timestamp of the date and time of the discovery event.
event_type
The type of discovery event. For example,
New User Identity
or
User Login
.
ip_address
Field deprecated in Version 5.2. Returns
null
for all queries.
ipaddr
A binary representation of the IP address of the host where the user activity was
detected.
detected.
reported_by
The IPv4 address, IPv6 address, or NetBIOS name of the Active Directory server
reporting a user login.
reporting a user login.
sensor_address
The IP address of the managed device that detected the user discovery event. Format
is
is
ipv4_address,ipv6_address
.
sensor_name
The text name of the managed device that detected the user discovery event.
sensor_uuid
A unique identifier for the managed device, or
0
if
sensor_name
is
null
.
user_dept
The department of the user who last logged onto the host.
user_email
The email address of the user who last logged onto the host.
user_first_name
The first name of the user.