Руководство Разработчика для Cisco Cisco Firepower Management Center 4000
10-2
FireSIGHT System Database Access Guide
Chapter 10 Schema: File Event Tables
file_event
file_event Fields
The
file_event
table contains information on files that are detected passing through the monitored
network. Each file event can be correlated with a connection event. Details of the file and file transfer
are recorded, including the name, size, source, destination, and direction of the file, a SHA256 hash of
the file, the device that detected the file, and whether it is considered to be malware.
are recorded, including the name, size, source, destination, and direction of the file, a SHA256 hash of
the file, the device that detected the file, and whether it is considered to be malware.
file_event Fields
Field
Description
action
The action taken on the file based on the file type. Can have the following values:
•
1
- Detect
•
2
- Block
•
3
- Malware Cloud Lookup
•
4
- Malware Block
•
5
- Malware Whitelist
•
6
- Cloud Lookup Timeout
application_id
ID number that maps to the application using the file transfer.
application_name
One of the following:
•
the name of the application used in the connection
•
pending
or
unknown
if the system cannot identify the application
•
blank if there is no application information in the connection
archived
Indicates whether the file has been archived.
client_application_id
The internal identification number for the client application, if applicable.
client_application_name
The name of the client application, if applicable.
connection_sec
UNIX timestamp (seconds since 01/01/1970) of the connection event associated
with the file event.
with the file event.
counter
Specific counter for the event, used to distinguish among multiple events that
happened during the same second.
happened during the same second.
direction
Whether the file was uploaded or downloaded. Currently the value depends
entirely on the protocol (for example, if the connection is HTTP it is a download).
entirely on the protocol (for example, if the connection is HTTP it is a download).
disposition
The malware status of the file. Possible values include:
•
CLEAN
- The file is clean and does not contain malware.
•
UNKNOWN
- It is unknown whether the file contains malware.
•
MALWARE
- The file contains malware.
•
UNAVAILABLE
- The software was unable to send a request to the Cisco cloud
for a disposition, or the Cisco cloud services did not respond to the request.
•
CUSTOM SIGNATURE
- The file matches a user-defined hash, and is treated in a
fashion designated by the user.