Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
4-4
FireSIGHT System Database Access Guide
Chapter 4 Schema: Intrusion Tables
intrusion_event
icmp_code
ICMP code if the event is ICMP traffic, or
null
if the event was not generated
from ICMP traffic.
icmp_type
ICMP type if the event is ICMP traffic, or
null
if the event was not generated
from ICMP traffic.
impact
The impact flag value of the event. Integer values are:
•
1
- Red (vulnerable)
•
2
- Orange (potentially vulnerable)
•
3
- Yellow (currently not vulnerable)
•
4
- Blue (unknown target)
•
5
- Gray (unknown impact)
instance_id
Numerical ID of the Snort instance on the managed device that generated the
event.
event.
interface_egress_name
The name of the interface for the outbound traffic.
interface_ingress_name
The name of the interface for the inbound traffic.
intrusion_event_policy_uuid
A unique identifier for the intrusion policy that triggered the intrusion event.
intrusion_event_policy_name
The intrusion policy that generated the intrusion event.
ioc_count
Number of indications of compromise found in the event.
priority
The priority for the rule classification associated with the event. Rule priority is
set in the user interface.
set in the user interface.
protocol_name
The text name of the traffic protocol associated with the intrusion event.
protocol_num
The IANA number of the protocol as listed in
reviewed
Whether the intrusion event has been marked as reviewed:
•
1
- reviewed
•
0
- not reviewed
rule_classification
The description of the rule classification associated with the intrusion event,
which usually describes the attack detected by the rule that triggered the event.
For example:
which usually describes the attack detected by the rule that triggered the event.
For example:
A Network Trojan was Detected
.
rule_classification_id
The identification number for the rule classification associated with the intrusion
event.
event.
rule_generator
The component that generated the intrusion event. The generator can be either a
rules engine, decoder, or preprocessor.
rules engine, decoder, or preprocessor.
rule_generator_id
The generator ID (GID) of the component named in
rule_generator
that
generated the intrusion event.
rule_message
Explanatory text for the event. For rule-based intrusion events, the message is
generated from the rule. For decoder- and preprocessor-based events, the
message is hard coded.
generated from the rule. For decoder- and preprocessor-based events, the
message is hard coded.
rule_revision
The revision number of the rule associated with the intrusion event.
Table 4-2
intrusion_event Fields (continued)
Field
Description