Руководство Разработчика для Cisco Cisco Firepower Management Center 4000
2-16
FireSIGHT System Database Access Guide
Chapter 2 Setting Up Database Access
Sample Queries
Intrusion Events
To uniquely match an intrusion event across multiple managed devices, include the following fields
in your query of the
in your query of the
intrusion_event
table:
–
intrusion_event.event_id
–
intrusion_event.event_time_sec
–
intrusion_event.sensor_uuid
Sample Queries
The following sections contain sample queries that illustrate how you can use the database access
feature:
feature:
•
•
•
•
•
•
•
•
•
Caution
Performing some of these sample queries may be expensive, depending on your deployment. See
for more information.
Audit Records for a User
The following query returns all records in the audit log for a particular user, displaying all timestamps
in UTC:
in UTC:
SELECT FROM_UNIXTIME(action_time_sec), user, message
FROM audit_log
WHERE user = 'eventanalyst';
Intrusion Events by Priority and Classification
The following query duplicates the Drilldown of Event, Priority, and Classification view in the Events
By Priority and Classification workflow. If you have not changed the default Intrusion Events workflow
in your user preferences, this is the first page you see when you select
By Priority and Classification workflow. If you have not changed the default Intrusion Events workflow
in your user preferences, this is the first page you see when you select
Analysis > Intrusion Events
on the
Defense Center web interface:
SELECT rule_message, priority, rule_classification, count(*) as Count
FROM intrusion_event
WHERE reviewed="0" GROUP BY rule_message, priority, rule_classification
ORDER BY Count