Cisco Cisco Firepower Management Center 2000 Guida Dello Sviluppatore
9-3
FireSIGHT System Database Access Guide
Chapter 9 Schema: Correlation Tables
compliance_event
dst_rna_service
If identified, the application protocol on the source host that is associated with the
triggering event. If not identified, one of the following:
triggering event. If not identified, one of the following:
•
none
or blank - no application protocol traffic
•
unknown
- the server cannot be identified based on known server fingerprints
•
pending
- the system needs more information
dst_user_dept
The department of the destination user.
dst_user_email
The email address of the destination user.
dst_user_first_name
The first name of the destination user.
dst_user_id
The internal identification number for the destination user; that is, the user who
last logged into the destination host before the event occurred.
last logged into the destination host before the event occurred.
dst_user_last_name
The last name of the destination user.
dst_user_last_seen_sec
The UNIX timestamp of the date and time the system last reported a login for the
destination user.
destination user.
dst_user_last_updated_sec
The UNIX timestamp of the date and time the destination user’s information was
last updated.
last updated.
dst_user_name
The user name for the destination user.
dst_user_phone
The destination user’s phone number.
dst_vlan_id
The destination host’s VLAN identification number, if applicable.
event_id
The identification number of the triggering intrusion event generated by the
device.
device.
event_time_sec
The UNIX timestamp of the date and time of the triggering event.
event_time_usec
The microsecond increment of the triggering event timestamp.
event_type
The type of underlying event that triggered the correlation rule or caused the
Defense Center to generate the correlation event. Values are:
Defense Center to generate the correlation event. Values are:
•
ids
, for intrusion event triggers
•
rna
, for discovery event, host input event, connection event, or traffic profile
change triggers
•
rua
, for user discovery event triggers
•
whitelist
, for compliance white list violation triggers
host_event_type
The event type, for example,
New Host
or
Identity Conflict
.
id
An internal identification number for the correlation event.
impact
The impact flag value of the event. Values are:
•
1
- Red (vulnerable)
•
2
- Orange (potentially vulnerable)
•
3
- Yellow (currently not vulnerable)
•
4
- Blue (unknown target)
•
5
- Gray (unknown impact)
Set only when the correlation rule was triggered by an intrusion event.
Table 9-2
compliance_event Fields (continued)
Field
Description