- Introduction to Database Access
- Setting Up Database Access
- Schema - System-Level Tables
- Schema - Intrusion Event Tables
- Schema - Statistics Tracking Tables
- Schema - Discovery and Network Map Tables
- Schema - Connection Log Tables
- Schema - User Activity Tables
- Schema - Correlation Logs
- Schema - File Event Tables
- Deprecated Tables
Schema: Connection Log Tables
This chapter contains information on the schema and supported joins for connection data.
For more information, see the sections listed in the following table. The Version column indicates the Database Access versions supported by each listed table.
|
|
|
---|---|---|
Individual connections. Supersedes deprecated table |
||
Connection log summaries. Supersedes deprecated table |
||
connection_log
The connection_log
table contains information on connection events. The Firepower System generates a connection event when a connection between a monitored host and any other host is established; the event contains detailed information about the monitored traffic.
The connection_log
table supersedes the deprecated rna_flow
table starting with Version 5.0 of the Firepower System.
For more information, see the following sections:
connection_log Fields
The following table describes the database fields you can access in the connection_log
table.
|
|
---|---|
The access control policy that contains the access control rule (or default action) that logged the connection. |
|
The UUID of the access control policy that contains the access control rule (or default action) that logged the connection. |
|
The reason that the access control rule logged the connection. One or more of the following: |
|
The action associated with the access control rule (or default action): |
|
The access control rule (or default action) that logged the connection. |
|
An internal identification number of the application protocol. |
|
The total number of bytes transmitted by the session responder. |
|
The Unix timestamp on which the SSL certificate used in the connection ceases to be valid. |
|
The Unix timestamp when the SSL certificate used in the connection was issued. |
|
An internal identification number for the client application that was used in the intrusion event. |
|
The client application, if available, that was used in the intrusion event. One of: |
|
The detection source for the connection information. Either: |
|
Counter for the intrusion event associated with the connection event. |
|
DNS Response. Possible values include:
|
|
UUID of the domain for the session. This is presented in binary. |
|
The number of files identified by Snort in a session. A record is generated for each file identified in the session. |
|
The UNIX timestamp of the date and time the first packet of the session was seen. |
|
The response code given to the HTTP request in the connection. |
|
ICMP code if the event is ICMP traffic, or |
|
ICMP type if the event is ICMP traffic, or |
|
The name of the continent of the host that initiated the session: |
|
Code for the country of the host that initiated the session. |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
Field deprecated in Version 5.0. Returns |
|
A binary representation of the IP address of the host that initiated the session. |
|
Field deprecated in Version 5.2. Returns |
|
The department of the user who last logged into the initiator host. |
|
The email address of the user who last logged into the initiator host. |
|
The first name of the user who last logged into the initiator host. |
|
An internal identification number for the user who last logged into the initiator host. |
|
The last name of the user who last logged into the initiator host. |
|
The UNIX timestamp of the date and time the Firepower System last detected user activity for the user who last logged into the initiator host. |
|
The UNIX timestamp of the date and time the Firepower System last updated the user record for the user who last logged into the initiator host. |
|
The user name of the user who last logged into the initiator host. |
|
The phone number of the user who last logged into the initiator host. |
|
Numerical ID of the Snort instance on the managed device that generated the event. |
|
Number of indications of compromise found in the connection. |
|
The number of intrusion events generated in the connection prior to intrusion event thresholding. |
|
The UNIX timestamp of the date and time the last packet of the session was seen. |
|
IP address of the interface communicating with ISE. Can be IPv4 or IPv6. |
|
The ID of the first monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the second monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the third monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the fourth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the fifth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the sixth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the seventh monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the eighth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The name of the first monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the second monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the third monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the fourth monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the fifth monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the sixth monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the seventh monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the eighth monitor rule associated with the connection. This name is associated with the ID stored in |
|
Netflow autonomous system number of the destination, either origin or peer. |
|
Type of service from the IP header when packets are flowing from the destination to the source. |
|
ID of the interface used by packets flowing from the source to the destination. |
|
ID of the interface used by packets flowing from the destination to the source. |
|
Netflow autonomous system number of the source, either origin or peer. |
|
Type of service from the IP header when packets are flowing from the source to the destination. |
|
The network analysis policy associated with the intrusion policy that generated the intrusion event. |
|
The UUID of the network analysis policy associated with the intrusion policy that generated the intrusion event. |
|
The name of the continent of the host that originally initiated the session: |
|
Code for the country of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
Name of the country of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
A binary representation of the IP address of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
The total number of packets received by the host that initiated the session. |
|
The total number of packets transmitted by the host that initiated the session. |
|
The name of the prefilter policy that generated the intrusion event. |
|
The UUID of the prefilter policy that generated the intrusion event. |
|
The IANA number of the protocol as listed in |
|
The name of the continent of the host that responded to the session initiator: |
|
Code for the country of the host that responded to the session initiator. |
|
Name of the country of the host that responded to the session initiator. |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
Field deprecated in Version 5.2. Returns |
|
A binary representation of the IPv4 or IPv6 address for the host that responded to the session initiator. |
|
Field deprecated in Version 5.2. Returns |
|
The department of the user who last logged into the host that responded to the session initiator. |
|
The email address of the user who last logged into the host that responded to the session initiator. |
|
The first name of the user who last logged into the host that responded to the session initiator. |
|
An internal identification number for the user who last logged into the host that responded to the session initiator. |
|
The last name of the user who last logged into the host that responded to the session initiator. |
|
The UNIX timestamp of the date and time the Firepower System last detected user activity for the user who last logged into the host that responded to the session initiator. |
|
The UNIX timestamp of the date and time the Firepower System last updated the user record for the user who last logged into the host that responded to the session initiator. |
|
The user name of the user who last logged into the host that responded to the session initiator. |
|
The phone number of the user who last logged into the host that responded to the session initiator. |
|
Description of the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
|
The Security Intelligence category associated with the connection. |
|
Whether the Security Intelligence-monitored IP address associated with the connection is a source IP ( |
|
The IP address of the managed device that generated the event. Format is |
|
A unique identifier for the managed device, or |
|
Field deprecated in Version 5.0. Returns |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include: |
|
Encryption suite used by the SSL connection. The value is stored |
|
The action which should be performed on the connection based on the SSL Rule. Possible values include: |
|
The debugging level flags for an encrypted connection. Possible values include:
|
|
The messages exchanged between client and server during the SSL handshake. See
|
|
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
|
Issuer Common name from the SSL certificate. This is typically the host and domain name of the certificate issuer, but may contain other information. |
|
The default action configured for the policy when no rules match. |
|
The action selected in the user interface for the SSL rule ( |
|
ID number of the SSL rule or default action that handled the connection. |
|
The serial number of the SSL certificate, assigned by the issuing CA. |
|
Name provided in the server name indication in the SSL Client Hello. |
|
Subject Common name from the SSL certificate. This is typically the host and domain name of the certificate subject, but may contain other information. |
|
Category of the flow as identified from the server name and certificate common name. |
|
The SSL or TLS protocol version used to encrypt the connection. |
|
The URL requested by the monitored host during the session, if available. |
|
The reputation of the URL requested by the monitored host. One of the following: |
|
connection_log Joins
The following table describes the joins you can perform using the connection_log
table.
connection_log Sample Query
The following query returns up to 25 connection event records from the connection_log
table, sorted in descending order based on packet timestamps.
SELECT first_packet_sec, last_packet_sec, initiator_ipaddr, responder_ipaddr, security_zone_ingress_name, security_zone_egress_name, initiator_port, protocol_name, responder_port, application_protocol_id, client_application_id, web_application_id, url, url_category, url_reputation
WHERE first_packet_sec <= UNIX_TIMESTAMP("2011-10-01 00:00:00"
) ORDER BY first_packet_sec
connection_summary
The connection_summary
table contains information on connection summaries or aggregated connections. The Firepower System aggregates connections over five-minute intervals. To be aggregated, connections must:
- have the same source and destination IP addresses
- use the same protocol
- use the same application
- either be detected by the same managed device (for sessions detected by managed devices with Firepower) or be exported by the same NetFlow-enabled device and processed by the same managed device
The aggregated data in a connection summary includes the total number of packets and bytes sent by the initiator and responder hosts, as well as the number of connections in the summary.
The connection_summary
table supersedes the deprecated rna_flow_summary
table starting with Version 5.0 of the Firepower System.
For more information, see the following sections:
connection_summary Fields
The following table describes the database fields you can access in the connection_summary
table.
|
|
---|---|
An internal identification number for the application protocol. |
|
The total number of bytes transmitted by the session responder. |
|
The total number of bytes transmitted by the session initiator. |
|
The detection source for the connection information. Either: |
|
UUID of the domain for the session. This is presented in binary. |
|
Field deprecated in Version 5.0. Returns |
|
An internal identification number for the connection summary. |
|
Field deprecated in Version 5.2. Returns |
|
A binary representation of the IP address of the host that initiated the session. |
|
The department of the user who last logged into the initiator host. |
|
The email address of the user who last logged into the initiator host. |
|
The first name of the user who last logged into the initiator host. |
|
An internal identification number for the user who last logged into the initiator host. |
|
The last name of the user who last logged into the initiator host. |
|
The UNIX timestamp of the date and time the Firepower System last detected user activity for the user who last logged into the initiator host. |
|
The UNIX timestamp of the date and time the Firepower System last updated the user record for the user who last logged into the initiator host. |
|
The user name of the user who last logged into the initiator host. |
|
The phone number of the user who last logged into the initiator host. |
|
Netmap ID for the domain on which the connection was detected. |
|
The number of connections in the summary. For long-running connections, that is, connections that span multiple connection summary intervals, only the first connection summary is incremented. |
|
A binary representation of the IP address of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
The total number of packets transmitted by the session responder. |
|
The total number of packets transmitted by the session initiator. |
|
The IANA number of the protocol as listed in |
|
Field deprecated in Version 5.2. Returns |
|
A binary representation of the IP address of the host that responded to the initiator of the aggregated sessions. |
|
The department of the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The email address of the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The first name of the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
An internal identification number for the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The last name of the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The UNIX timestamp of the date and time the Firepower System last detected user activity for the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The UNIX timestamp of the date and time the Firepower System last updated the user record for the user who last logged into the host that responded to the session initiator. |
|
The user name of the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The phone number of the user who last logged into the host that responded to the initiator of the aggregated sessions. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that monitored the aggregated sessions. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the five-minute interval used to aggregate the sessions in the summary started. |
connection_summary Joins
The following table describes the joins you can perform using the connection_summary
table.
connection_summary Sample Query
The following query returns up to five connection event summary records detected by the selected device.
SELECT initiator_ipaddr, responder_ipaddr, protocol_name, application_protocol_id, source_device, sensor_name, sensor_address, packets_recv, packets_sent, bytes_recv, bytes_sent, connection_type, num_connections
si_connection_log
The si_connection_log
table contains information on security intelligence events. The Firepower System generates a Security Intelligence event when a connection is blocked or monitored by Security Intelligence; the event contains detailed information about the monitored traffic.
For more information, see the following sections:
si_connection_log Fields
The following table describes the database fields you can access in the si_connection_log
table.
|
|
---|---|
The access control policy that contains the access control rule (or default action) that logged the connection. |
|
The UUID of the access control policy that contains the access control rule (or default action) that logged the connection. |
|
The reason that the access control rule logged the connection. One or more of the following: |
|
The action associated with the access control rule (or default action): |
|
The access control rule (or default action) that logged the connection. |
|
An internal identification number of the application protocol. |
|
The total number of bytes transmitted by the session responder. |
|
The Unix timestamp on which the SSL certificate used in the connection ceases to be valid. |
|
The Unix timestamp when the SSL certificate used in the connection was issued. |
|
An internal identification number for the client application that was used in the intrusion event. |
|
The client application, if available, that was used in the intrusion event. One of: |
|
The detection source for the connection information. Either: |
|
Counter for the intrusion event associated with the connection event. |
|
DNS Response. Possible values include:
|
|
UUID of the domain for the session. This is presented in binary. |
|
The number of files identified by snort in a session. A record is generated for each file identified in the session. |
|
The UNIX timestamp of the date and time the first packet of the session was seen. |
|
The response code given to the HTTP request in the connection. |
|
ICMP code if the event is ICMP traffic, or |
|
ICMP type if the event is ICMP traffic, or |
|
The name of the continent of the host that initiated the session. |
|
Code for the country of the host that initiated the session. |
|
A binary representation of the IP address of the host that initiated the session. |
|
The department of the user who last logged into the initiator host. |
|
The email address of the user who last logged into the initiator host. |
|
The first name of the user who last logged into the initiator host. |
|
An internal identification number for the user who last logged into the initiator host. |
|
The last name of the user who last logged into the initiator host. |
|
The UNIX timestamp of the date and time the Firepower System last detected user activity for the user who last logged into the initiator host. |
|
The UNIX timestamp of the date and time the Firepower System last updated the user record for the user who last logged into the initiator host. |
|
The user name of the user who last logged into the initiator host. |
|
The phone number of the user who last logged into the initiator host. |
|
Numerical ID of the Snort instance on the managed device that generated the event. |
|
Number of indications of compromise found in the connection. |
|
The number of intrusion events generated in the connection prior to intrusion event thresholding. |
|
The UNIX timestamp of the date and time the last packet of the session was seen. |
|
IP address of the interface communicating with ISE. Can be IPv4 or IPv6. |
|
The ID of the first monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the second monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the third monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the fourth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the fifth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the sixth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the seventh monitor rule associated with the connection. This ID is associated with the name stored in |
|
The ID of the eighth monitor rule associated with the connection. This ID is associated with the name stored in |
|
The name of the first monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the second monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the third monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the fourth monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the fifth monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the sixth monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the seventh monitor rule associated with the connection. This name is associated with the ID stored in |
|
The name of the eighth monitor rule associated with the connection. This name is associated with the ID stored in |
|
Netflow autonomous system number of the destination, either origin or peer. |
|
Type of service from the IP header when packets are flowing from the destination to the source. |
|
ID of the interface used by packets flowing from the source to the destination. |
|
ID of the interface used by packets flowing from the destination to the source. |
|
Netflow autonomous system number of the source, either origin or peer. |
|
Type of service from the IP header when packets are flowing from the source to the destination. |
|
The network analysis policy associated with the intrusion policy that generated the intrusion event. |
|
The UUID of the network analysis policy associated with the intrusion policy that generated the intrusion event. |
|
The name of the continent of the host that originally initiated the session: |
|
Code for the country of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
Name of the country of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
A binary representation of the IP address of the host that originally initiated the session. This field is used when there is a proxy in the connection. |
|
The total number of packets received by the host that initiated the session. |
|
The total number of packets transmitted by the host that initiated the session. |
|
The name of the prefilter policy that generated the intrusion event. |
|
The UUID of the prefilter policy that generated the intrusion event. |
|
The IANA number of the protocol as listed in |
|
The name of the continent of the host that responded to the session initiator. |
|
Code for the country of the host that responded to the session initiator. |
|
Name of the country of the host that responded to the session initiator. |
|
A binary representation of the IPv4 or IPv6 address for the host that responded to the session initiator. |
|
The department of the user who last logged into the host that responded to the session initiator. |
|
The email address of the user who last logged into the host that responded to the session initiator. |
|
The first name of the user who last logged into the host that responded to the session initiator. |
|
An internal identification number for the user who last logged into the host that responded to the session initiator. |
|
The last name of the user who last logged into the host that responded to the session initiator. |
|
The UNIX timestamp of the date and time the Firepower System last detected user activity for the user who last logged into the host that responded to the session initiator. |
|
The UNIX timestamp of the date and time the Firepower System last updated the user record for the user who last logged into the host that responded to the session initiator. |
|
The user name of the user who last logged into the host that responded to the session initiator. |
|
The phone number of the user who last logged into the host that responded to the session initiator. |
|
Description of the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
|
The Security Intelligence category associated with the connection. |
|
Whether the Security Intelligence-monitored IP address associated with the connection is a source IP ( |
|
The IP address of the managed device that generated the event. Format is |
|
A unique identifier for the managed device, or |
|
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified |
|
Encryption suite used by the SSL connection. The value is stored |
|
The action which should be performed on the connection based on |
|
The debugging level flags for an encrypted connection. Possible |
|
The messages exchanged between client and server during the SSL handshake. See
|
|
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
|
|
Issuer Common name from the SSL certificate. This is typically the host and domain name of the certificate issuer, but may contain other information. |
|
The default action configured for the policy when no rules match. |
|
The action selected in the user interface for the SSL rule ( |
|
ID number of the SSL rule or default action that handled the connection. |
|
The serial number of the SSL certificate, assigned by the issuing CA. |
|
Name provided in the server name indication in the SSL Client Hello. |
|
Subject Common name from the SSL certificate. This is typically the host and domain name of the certificate subject, but may contain other information. |
|
Category of the flow as identified from the server name and certificate common name. |
|
The SSL or TLS protocol version used to encrypt the connection. |
|
The URL requested by the monitored host during the session, if available. |
|
The reputation of the URL requested by the monitored host. One of the following: |
|
si_connection_log Joins
The following table describes the joins you can perform using the si_connection_log
table.
si_connection_log Sample Query
The following query returns up to 25 connection event records from the si_connection_log
table, sorted in descending order based on packet timestamps.
SELECT first_packet_sec, last_packet_sec, initiator_ipaddr, responder_ipaddr, security_zone_ingress_name, security_zone_egress_name, initiator_port, protocol_name, responder_port, application_protocol_id, client_application_id, web_application_id, url, url_category, url_reputation
WHERE first_packet_sec <= UNIX_TIMESTAMP("2011-10-01 00:00:00") ORDER BY first_packet_sec