Cisco Cisco Firepower Management Center 4000 Guia Do Programador
4-5
FireSIGHT System Database Access Guide
Chapter 4 Schema: Intrusion Tables
intrusion_event
rule_signature_id
The signature ID (SID) for the intrusion event. Identifies the specific rule,
decoder message, or preprocessor message that caused the event to be generated.
decoder message, or preprocessor message that caused the event to be generated.
security_context
Description of the security context (virtual firewall) that the traffic passed
through. Note that the system only populates this field for ASA FirePOWER
devices in multi-context mode.
through. Note that the system only populates this field for ASA FirePOWER
devices in multi-context mode.
security_zone_egress_name
The egress security zone in the intrusion event that triggered the policy violation.
security_zone_ingress_name
The ingress security zone in the intrusion event that triggered the policy
violation.
violation.
sensor_address
The IP address of the managed device that generated the event. Format is
ipv4_address,ipv6_address
.
sensor_name
The name of the managed device that generated the intrusion event.
sensor_uuid
A unique identifier for the managed device, or
0
if
sensor_name
is
null
.
src_continent_name
The name of the continent of the destination host.
**
- Unknown
na
- North America
as
- Asia
af
- Africa
eu
- Europe
sa
- South America
au
- Australia
an
- Antarctica
src_country_id
Code for the country of the destination host.
src_country_name
Name of the country of the destination host.
src_ip_address
Field deprecated in Version 5.2. Due to backwards compatibility the value in this
field is not set to
field is not set to
null
, but it is not reliable.
src_ip_address_v6
Field deprecated in Version 5.2. Due to backwards compatibility the value in this
field is not set to
field is not set to
null
, but it is not reliable.
src_ipaddr
A binary representation of the IPv4 or IPv6 address for the source host involved
in the triggering event.
in the triggering event.
src_port
Either:
•
the source port number, if the event protocol type is TCP or UDP
•
the ICMP type, if the event protocol type is ICMP
src_user_dept
The department of the source user.
src_user_email
The email address for the source user.
src_user_first_name
The first name of the source user.
src_user_id
The internal identification number for the source user; that is, the user who last
logged into the source host before the intrusion event occurred.
logged into the source host before the intrusion event occurred.
src_user_last_name
The last name of the source user.
Table 4-2
intrusion_event Fields (continued)
Field
Description