Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador
9-2
FireSIGHT System Database Access Guide
Chapter 9 Schema: Correlation Tables
compliance_event
compliance_event Fields
Keep in mind that many of the fields in the table can be blank, depending on what type of event triggered
the correlation rule. For example, if the Defense Center generates a correlation event because the system
detects a specific application protocol or web application running on a specific port, that correlation
event does not include intrusion-related information. Fields in this table can also be blank depending on
your FireSIGHT System configuration. For example, if you do not have a Control license, correlation
events do not include user identity information.
the correlation rule. For example, if the Defense Center generates a correlation event because the system
detects a specific application protocol or web application running on a specific port, that correlation
event does not include intrusion-related information. Fields in this table can also be blank depending on
your FireSIGHT System configuration. For example, if you do not have a Control license, correlation
events do not include user identity information.
Note that starting in Version 5.0, the FireSIGHT System records the detection of network and user
activity at the managed device level, rather than by detection engine. The
activity at the managed device level, rather than by detection engine. The
detection_engine_name
and
detection_engine_uuid
fields in the
compliance_event
table now return only blanks, and queries that
join on those fields return zero records. You must query on the
sensor_uuid
field instead of
detection_engine_uuid
for information about the location of an event’s detection.
The following table describes the fields you can access in the
compliance_event
table.
Table 9-2
compliance_event Fields
Field
Description
blocked
Value indicating what happened to the packet that triggered the intrusion event:
•
0
- packet not dropped
•
1
- packet dropped (inline, switched, or routed deployments)
•
2
- packet that triggered the event would have been dropped, if the intrusion
policy had been applied to a device in an inline, switched, or routed
deployment
deployment
description
Information about the correlation event and how it was triggered.
detection_engine_name
Field deprecated in Version 5.0. Returns
null
for all queries.
detection_engine_uuid
Field deprecated in Version 5.0. Returns
null
for all queries.
dst_host_criticality
The user-assigned host criticality of the destination host involved in the
correlation event:
correlation event:
None
,
Low
,
Medium
, or
High
.
dst_host_type
The destination host type:
Host
,
Router
,
Bridge
,
NAT Device
, or
Load Balancer
.
dst_ip_address
Field deprecated in Version 5.2. Due to backwards compatibility the value in this
field is not set to
field is not set to
null
, but it is not reliable.
dst_ip_address_v6
Field deprecated in Version 5.2. Due to backwards compatibility the value in this
field is not set to
field is not set to
null
, but it is not reliable.
dst_ipaddr
A binary representation of the IPv4 or IPv6 address for the destination host
involved in the triggering event.
involved in the triggering event.
dst_os_product
The operating system name on the destination host.
dst_os_vendor
The operating system’s vendor on the destination host.
dst_os_version
The operating system’s version number on the destination host.
dst_port
The port number for the host receiving the traffic if the event protocol type is TCP
or UDP. The ICMP code if the protocol type is ICMP.
or UDP. The ICMP code if the protocol type is ICMP.