Cisco Cisco Firepower Management Center 4000 Developer's Guide
5-19
FireSIGHT System Database Access Guide
Chapter 5 Schema: Statistics Tracking Tables
user_ids_stats_current_timeframe
user_ids_stats_current_timeframe Joins
You cannot perform joins on the
user_ids_stats_current_
timeframe
tables.
user_ids_stats_current_timeframe Sample Query
The following query returns up to 25 user records from the
user_ids_stats_current_month
table. Each
record contains the number of blocked connections and intrusion events for the selected
username
.
SELECT username, start_time_sec, blocked, impact_level_1, impact_level_2,
impact_level_3, impact_level_4, impact_level_5 FROM user_ids_stats_current_year
WHERE username="username"
LIMIT 0, 25;
impact_level_4
The number of impact level 4 (unknown target) intrusion events recorded for the
user.
user.
impact_level_5
The number of impact level 5 (unknown vulnerability) intrusion events recorded for
the user.
the user.
sensor_address
The IP address of the managed device that monitored the traffic. Format is
ipv4_address,ipv6_address
.
sensor_id
The internal identification number of the managed device that detected the traffic.
sensor_name
The name of the managed device that detected the traffic.
sensor_uuid
A unique identifier for the managed device, or
0
if
sensor_name
is
null
.
start_time_sec
The UNIX timestamp of the start of the measurement interval. For information on
specifying the start time, see
specifying the start time, see
.
user_id
An internal identification number for the user who last logged into the host.
username
The user name of the user who last logged into the host.
would_have_dropped
Number of packets that would have been dropped if the intrusion policy had been
configured to drop packets in an inline deployment.
configured to drop packets in an inline deployment.
Table 5-15
user_ids_stats_current_timeframe Fields (continued)
Field
Description