|
|
blocked |
Value indicating what happened to the packet that triggered the intrusion event:
-
0 — Packet not dropped
-
1 — Packet dropped (inline, switched, or routed deployments)
-
2 — Packet that triggered the event would have been dropped, if the intrusion policy had been applied to a device in an inline, switched, or routed deployment
|
description |
Information about the correlation event and how it was triggered. |
detection_engine_name |
Field deprecated in Version 5.0. Returns null for all queries. |
detection_engine_uuid |
Field deprecated in Version 5.0. Returns null for all queries. |
domain_name |
Name of the domain on which the event was detected. |
domain_uuid |
UUID of the domain on which the event was detected. This is presented in binary. |
dst_host_criticality |
The user-assigned host criticality of the destination host involved in the correlation event: None , Low , Medium , or High . |
dst_host_type |
The destination host type: Host , Router , Bridge , NAT Device , or Load Balancer . |
dst_ip_address |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
dst_ip_address_v6 |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
dst_ipaddr |
A binary representation of the IPv4 or IPv6 address for the destination host involved in the triggering event. |
dst_os_product |
The operating system name on the destination host. |
dst_os_vendor |
The operating system’s vendor on the destination host. |
dst_os_version |
The operating system’s version number on the destination host. |
dst_port |
The port number for the host receiving the traffic if the event protocol type is TCP or UDP. The ICMP code if the protocol type is ICMP. |
dst_rna_service |
If identified, the application protocol on the source host that is associated with the triggering event. If not identified, one of the following:
-
none or blank - no application protocol traffic
-
unknown - the server cannot be identified based on known server fingerprints
-
pending - the system needs more information
|
dst_user_dept |
The department of the destination user. |
dst_user_email |
The email address of the destination user. |
dst_user_first_name |
The first name of the destination user. |
dst_user_id |
The internal identification number for the destination user; that is, the user who last logged into the destination host before the event occurred. |
dst_user_last_name |
The last name of the destination user. |
dst_user_last_seen_sec |
The UNIX timestamp of the date and time the system last reported a login for the destination user. |
dst_user_last_updated_sec |
The UNIX timestamp of the date and time the destination user’s information was last updated. |
dst_user_name |
The user name for the destination user. |
dst_user_phone |
The destination user’s phone number. |
dst_vlan_id |
The destination host’s VLAN identification number, if applicable. |
event_id |
The identification number of the triggering intrusion event generated by the device. |
event_time_sec |
The UNIX timestamp of the date and time of the triggering event. |
event_time_usec |
The microsecond increment of the triggering event timestamp. |
event_type |
The type of underlying event that triggered the correlation rule or caused the Firepower Management Center to generate the correlation event. Values are:
-
ids , for intrusion event triggers
-
rna , for discovery event, host input event, connection event, or traffic profile change triggers
-
rua , for user discovery event triggers
-
whitelist , for compliance allow list violation triggers
|
host_event_type |
The event type, for example, New Host or Identity Conflict . |
id |
An internal identification number for the correlation event. |
impact |
The impact flag value of the event. Values are:
-
1 — Red (vulnerable)
-
2 — Orange (potentially vulnerable)
-
3 — Yellow (currently not vulnerable)
-
4 — Blue (unknown target)
-
5 — Gray (unknown impact)
Set only when the correlation rule was triggered by an intrusion event. |
interface_egress_name |
The ingress interface associated with the connection. |
interface_ingress_name |
The egress interface associated with the connection. |
policy_name |
The correlation policy that was violated. |
policy_rule_name |
The correlation rule that triggered the policy violation. |
policy_rule_uuid |
A unique identifier for the correlation rule. |
policy_time_sec |
The UNIX timestamp of the date and time the correlation event was generated. |
policy_uuid |
A unique identifier for the correlation policy. |
priority |
The priority for the correlation event, which is set in the user interface. The event priority is determined by the priority of either the triggered rule or the violated correlation policy. |
protocol_name |
The protocol associated with the event, if available. |
protocol_num |
The IANA-specified protocol number, if available. |
rna_event_type |
Field deprecated in Version 5.0. Returns null for all queries. |
rua_event_type |
Field deprecated in Version 5.0. Returns null for all queries. |
rule_generator_id |
The generator ID number (GID) of the component that generated the triggering intrusion event. |
rule_message |
Explanatory text about the intrusion event that triggered the correlation rule. For rule-based events, the message is generated from the rule. For decoder- and preprocessor-based events, the message is hard coded. |
rule_signature_id |
The signature ID (SID) for the event. Identifies the specific rule or rules, decoder message, or preprocessor message that caused the triggering intrusion event to be generated. |
security_zone_egress_name |
The egress security zone in the correlation event. |
security_zone_ingress_name |
The ingress security zone in the correlation event. |
sensor_address |
The IP address of the managed device that generated the underlying event that triggered the compliance event. Format is ipv4_address,ipv6_address. |
sensor_name |
The managed device that generated the underlying event that triggered the compliance event. |
sensor_uuid |
A unique identifier for the managed device, or 0 if sensor_name is null . |
src_host_criticality |
The user-assigned host criticality of the source host involved in the compliance event: None , Low , Medium , or High . |
src_host_type |
The source host type: Host , Router , Bridge , NAT Device , or Load Balancer . |
src_ip_address |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
src_ip_address_v6 |
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to null , but it is not reliable. |
src_ipaddr |
A binary representation of the IPv4 or IPv6 address for the source host involved in the triggering event. |
src_os_product |
The operating system’s name on the source host. |
src_os_vendor |
The operating system’s vendor on the source host. |
src_os_version |
The operating system’s version number on the source host. |
src_port |
The port number on the source host. For ICMP traffic, the ICMP type appears instead. |
src_rna_service |
If identified, the application protocol on the source host that is associated with the triggering event. If not identified, one of the following:
-
none or blank - no application protocol traffic
-
unknown - the server and application protocol cannot be identified based on known server fingerprints
-
pending - the system needs more information
|
src_user_dept |
The department of the source user. |
src_user_email |
The email address of the source user. |
src_user_first_name |
The first name of the source user. |
src_user_id |
The internal identification number for the source user; that is, the user who last logged into the source host before the event occurred. |
src_user_last_name |
The last name of the source user. |
src_user_last_seen_sec |
The UNIX timestamp of the date and time the system last reported a login for the source user. |
src_user_last_updated_sec |
The UNIX timestamp of the date and time the source user’s information was last updated. |
src_user_name |
The login user name for the source user. |
src_user_phone |
The source user’s phone number. |
src_vlan_id |
The source host’s VLAN identification number, if applicable. |
user_event_type |
The type of triggering user event, for example, New User Identity or User Login . |