Руководство Разработчика для Cisco Cisco Firepower Management Center 4000
3-6
FireSIGHT System Database Access Guide
Chapter 3 Schema: System-Level Tables
fireamp_event
event_type_id
The internal ID of the FireAMP event type. Each
event_type_id
value has an associated
event_type
value. The possible display values and the associated types are:
•
553648143
- Threat Quarantined
•
553648145
- Threat Detected in Exclusion
•
553648146
- Cloud Recall Restore from Quarantine Started
•
553648147
- Cloud Recall Quarantine Started
•
553648149
- Quarantined Item Restored
•
553648150
- Quarantine Restore Started
•
553648154
- Cloud Recall Restore from Quarantine
•
553648155
- Cloud Recall Quarantine
•
553648168
- Blocked Execution
•
554696714
- Scan Started
•
554696715
- Scan Completed, No Detections
•
1090519054
- Threat Detected
•
1091567628
- Scan Completed With Detections
•
1107296256
- FireAMP IOC
•
2164260880
- Quarantine Failure
•
2164260893
- Cloud Recall Quarantine Attempt Failed
•
2164260884
- Quarantine Restore Failed
•
2164260892
- Cloud Recall Restore from Quarantine Failed
•
2165309453
- Scan Failed
file_name
The name of the detected or quarantined file.
file_path
The file path, not including the file name, of the detected or quarantined file.
file_sha
The SHA-256 hash value of the detected or quarantined file.
file_size
The size in bytes of the detected or quarantined file.
file_timestamp
The creation timestamp of the detected or quarantined file.
file_type
The file type of the detected or quarantined file.
file_type_id
The internal ID of the file type of the detected or quarantined file.
instance_id
Numerical ID of the Snort instance on the managed device that generated the event.
ioc_count
Number of indications of compromise found in the event.
parent_file_name
The name of the file accessing the detected or quarantined file when detection occurred.
parent_file_sha
The SHA-256 hash value of the parent file accessing the detected or quarantined file when
detection occurred.
detection occurred.
policy_uuid
Identification number that acts as a unique identifier for the access control policy that
triggered the event.
triggered the event.
Table 3-3
fireamp_event Fields (continued)
Field
Description