|
|
access_control_policy_name |
The access control policy associated with the intrusion policy that generated the intrusion event. Note that the access control policy name and access control rule name combination is unique for a Firepower Management Center. |
access_control_policy_UUID |
The UUID of the access control policy associated with the intrusion policy that generated the intrusion event. |
access_control_rule_id |
The internal identification number of the access control rule associated with the intrusion policy that generated the intrusion event. |
access_control_rule_name |
The name of the access control rule associated with the intrusion policy that generated the intrusion event. Note that the access control rule name is unique within a policy but not across different policies. |
application_protocol_id |
The internal identification number of the application protocol. |
application_protocol_name |
One of:
- the name of the application, if a positive identification can be made
-
pending if the system requires more data
- blank if there is no application information in the connection
|
blocked |
The value indicating what happened to the packet that triggered the intrusion event:
-
0 — Packet not dropped
-
1 — Packet dropped (inline, switched, or routed deployment)
-
2 — Packet that triggered the event would have been dropped, if the intrusion policy had been applied to a device configured in inline, switched, or routed deployment
|
client_application_id |
The internal identification number of the client application that was used in the intrusion event. |
client_application_name |
The client application, if available, that was used in the intrusion event. One of:
- the name of the application, if a positive identification can be made
- a generic client name if the system detects a client application but cannot identify a specific one.
-
null if there is no application information in the connection
|
connection_sec |
UNIX timestamp (seconds since 00:00:00 01/01/1970) of the connection event associated with the intrusion event. |
counter |
Number that is incremented for each connection event in a given second, and is used to differentiate among multiple connection events that happen during the same second. |
detection_engine_name |
Field deprecated in Version 5.0. Returns null for all queries. |
detection_engine_uuid |
Field deprecated in Version 5.0. Returns null for all queries. |
domain_name |
Name of the domain specified for the event. |
domain_uuid |
UUID of the domain specified for the event. This is presented in binary. |
dst_continent_name |
The name of the continent of the destination host. ** — Unknown na — North America as — Asia af — Africa eu — Europe sa — South America au — Australia an — Antarctica |
dst_country_id |
Code for the country of the destination host. |
dst_country_name |
Name of the country of the destination host. |
dst_ip_address |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
dst_ip_address_v6 |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
dst_ipaddr |
A binary representation of the IPv4 or IPv6 address for the destination host involved in the triggering event. |
dst_port |
Either:
- the destination port number, if the event protocol type is TCP or UDP
- the ICMP code, if the event protocol type is ICMP
|
dst_user_dept |
The department of the destination user. |
dst_user_email |
The email address of the destination user. |
dst_user_first_name |
The first name of the destination user. |
dst_user_id |
The internal identification number for the destination user; that is, the user who last logged into the destination host before the intrusion event occurred. |
dst_user_last_name |
The last name of the destination user. |
dst_user_last_seen_sec |
The UNIX timestamp of the date and time when the system last reported a login for the destination user. |
dst_user_last_updated_sec |
The UNIX timestamp of the date and time when the system last updated the destination user’s record. |
dst_user_name |
The user name for the destination user. |
dst_user_phone |
The telephone number for the destination user. |
event_id |
The internal identification number for the event. Uniquely identifies an event on the Firepower Management Center. |
event_time_sec |
The UNIX timestamp of the date and time when the event packet was captured. |
event_time_usec |
The microsecond increment of the event timestamp. If microsecond resolution is not available, this value is 0 . |
http_response_code |
The response code given to the HTTP request in the event. |
icmp_code |
ICMP code if the event is ICMP traffic, or null if the event was not generated from ICMP traffic. |
icmp_type |
ICMP type if the event is ICMP traffic, or null if the event was not generated from ICMP traffic. |
impact |
The impact flag value of the event. Integer values are:
-
1 — Red (vulnerable)
-
2 — Orange (potentially vulnerable)
-
3 — Yellow (currently not vulnerable)
-
4 — Blue (unknown target)
-
5 — Gray (unknown impact)
|
instance_id |
Numerical ID of the Snort instance on the managed device that generated the event. |
interface_egress_name |
The name of the interface for the outbound traffic. |
interface_ingress_name |
The name of the interface for the inbound traffic. |
intrusion_event_policy_uuid |
A unique identifier for the intrusion policy that triggered the intrusion event. |
intrusion_event_policy_name |
The intrusion policy that generated the intrusion event. |
ioc_count |
Number of indications of compromise found in the event. |
network_analysis_policy_name |
The network analysis policy associated with the intrusion policy that generated the intrusion event. |
network_analysis_policy_UUID |
The UUID of the network analysis policy associated with the intrusion policy that generated the intrusion event. |
priority |
The priority for the rule classification associated with the event. Rule priority is set in the user interface. |
protocol_name |
The text name of the traffic protocol associated with the intrusion event. |
protocol_num |
The IANA number of the protocol as listed in http://www.iana.org/assignments/protocol-numbers . |
reviewed |
Whether the intrusion event has been marked as reviewed:
-
1 — Reviewed
-
0 — Not reviewed
|
rule_classification |
The description of the rule classification associated with the intrusion event, which usually describes the attack detected by the rule that triggered the event. For example: A Network Trojan was Detected . |
rule_classification_id |
The identification number for the rule classification associated with the intrusion event. |
rule_generator |
The component that generated the intrusion event. The generator can be either a rules engine, decoder, or preprocessor. |
rule_generator_id |
The generator ID (GID) of the component named in rule_generator that generated the intrusion event. |
rule_message |
Explanatory text for the event. For rule-based intrusion events, the message is generated from the rule. For decoder- and preprocessor-based events, the message is hard coded. |
rule_revision |
The revision number of the rule associated with the intrusion event. |
rule_signature_id |
The signature ID (SID) for the intrusion event. Identifies the specific rule, decoder message, or preprocessor message that caused the event to be generated. |
security_context |
Description of the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
security_zone_egress_name |
The egress security zone in the intrusion event that triggered the policy violation. |
security_zone_ingress_name |
The ingress security zone in the intrusion event that triggered the policy violation. |
sensor_address |
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
sensor_name |
The name of the managed device that generated the intrusion event. |
sensor_uuid |
A unique identifier for the managed device, or 0 if sensor_name is null . |
src_continent_name |
The name of the continent of the destination host. ** — Unknown na — North America as — Asia af — Africa eu — Europe sa — South America au — Australia an — Antarctica |
src_country_id |
Code for the country of the destination host. |
src_country_name |
Name of the country of the destination host. |
src_ip_address |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
src_ip_address_v6 |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
src_ipaddr |
A binary representation of the IPv4 or IPv6 address for the source host involved in the triggering event. |
src_port |
Either:
- the source port number, if the event protocol type is TCP or UDP
- the ICMP type, if the event protocol type is ICMP
|
src_user_dept |
The department of the source user. |
src_user_email |
The email address for the source user. |
src_user_first_name |
The first name of the source user. |
src_user_id |
The internal identification number for the source user; that is, the user who last logged into the source host before the intrusion event occurred. |
src_user_last_name |
The last name of the source user. |
src_user_last_seen_sec |
The UNIX timestamp of the date and time the system last reported a login for the source user. |
src_user_last_updated_sec |
The UNIX timestamp of the date and time the source user’s record was last updated. |
src_user_name |
The user name for the source user. |
src_user_phone |
The source user’s phone number. |
vlan_id |
The identification number of the innermost VLAN associated with the packet that triggered the intrusion event. |
web_application_id |
The internal identification number of the web application that was used in the intrusion event, if applicable. |
web_application_name |
The web application that was used in the intrusion event, if applicable. One of:
- the name of the application, if a positive identification can be made
-
web browsing if the system detects an application protocol of HTTP but cannot identify a specific web application
- blank if the connection has no HTTP traffic
|