Cisco Cisco Firepower Management Center 4000 Developer's Guide
4-2
FireSIGHT System Database Access Guide
Chapter 4 Schema: Intrusion Tables
intrusion_event
intrusion_event Fields
The following table describes the database fields you can access in the
intrusion_event
table.
Table 4-2
intrusion_event Fields
Field
Description
access_control_policy_name
The access control policy associated with the intrusion policy that generated the
intrusion event. Note that the access control policy name and access control rule
name combination is unique for a Defense Center.
intrusion event. Note that the access control policy name and access control rule
name combination is unique for a Defense Center.
access_control_rule_id
The internal identification number of the access control rule associated with the
intrusion policy that generated the intrusion event.
intrusion policy that generated the intrusion event.
access_control_rule_name
The name of the access control rule associated with the intrusion policy that
generated the intrusion event.Note that the access control rule name is unique
within a policy but not across different policies.
generated the intrusion event.Note that the access control rule name is unique
within a policy but not across different policies.
application_protocol_id
The internal identification number of the application protocol.
application_protocol_name
One of:
•
the name of the application, if a positive identification can be made
•
pending
if the system requires more data
•
blank if there is no application information in the connection
blocked
The value indicating what happened to the packet that triggered the intrusion
event:
event:
•
0
- packet not dropped
•
1
- packet dropped (inline, switched, or routed deployment)
•
2
- packet that triggered the event would have been dropped, if the intrusion
policy had been applied to a device configured in inline, switched, or routed
deployment
deployment
client_application_id
The internal identification number of the client application that was used in the
intrusion event.
intrusion event.
client_application_name
The client application, if available, that was used in the intrusion event. One of:
•
the name of the application, if a positive identification can be made
•
a generic client name if the system detects a client application but cannot
identify a specific one.
identify a specific one.
•
null
if there is no application information in the connection
connection_sec
UNIX timestamp (seconds since 01/01/1970) of the connection event associated
with the intrusion event.
with the intrusion event.
counter
Number that is incremented for each connection event in a given second, and is
used to differentiate among multiple connection events that happen during the
same second.
used to differentiate among multiple connection events that happen during the
same second.
detection_engine_name
Field deprecated in Version 5.0. Returns
null
for all queries.
detection_engine_uuid
Field deprecated in Version 5.0. Returns
null
for all queries.