Cisco Cisco Firepower Management Center 4000 Guía Del Desarrollador

4-6

FireSIGHT System Database Access Guide

Chapter 4 Schema: Intrusion Tables

intrusion_event

intrusion_event Joins

The following table describes the joins you can perform on the

intrusion_event

table.

src_user_last_seen_sec

The UNIX timestamp of the date and time the system last reported a login for the
source user.

src_user_last_updated_sec

The UNIX timestamp of the date and time the source user’s record was last
updated.

src_user_name

The user name for the source user.

src_user_phone

The source user’s phone number.

vlan_id

The identification number of the innermost VLAN associated with the packet
that triggered the intrusion event.

web_application_id

The internal identification number of the web application that was used in the
intrusion event, if applicable.

web_application_name

The web application that was used in the intrusion event, if applicable. One of:

•

the name of the application, if a positive identification can be made

•

web browsing

if the system detects an application protocol of HTTP but

cannot identify a specific web application

•

blank if the connection has no HTTP traffic

Table 4-2

intrusion_event Fields (continued)

Field

Description

Table 4-3

intrusion_event Joins

You can join this table on...

And...

application_protocol_id

client_application_id

web_application_id

application_info.application_id

application_host_map.application_id

application_tag_map.application_id

rna_host_service_info.application_protocol_id

rna_host_client_app_payload.web_application_id

rna_host_client_app_payload.client_application_id

rna_host_client_app.client_application_id

rna_host_client_app.application_protocol_id

rna_host_service_payload.web_application_id

dst_ipaddr

src_ipaddr

rna_host_ip_map.ipaddr

user_ipaddr_history.ipaddr