- Introduction to Database Access
- Setting Up Database Access
- Schema - System-Level Tables
- Schema - Intrusion Event Tables
- Schema - Statistics Tracking Tables
- Schema - Discovery and Network Map Tables
- Schema - Connection Log Tables
- Schema - User Activity Tables
- Schema - Correlation Logs
- Schema - File Event Tables
- Deprecated Tables
Schema: Intrusion Tables
This chapter contains information on the schema and supported joins for intrusion events, the packets that triggered the events, and the associated rule messages.
For more information, see the sections listed in the following table.
intrusion_event
The intrusion_event
table contains information on possible intrusions identified by the Firepower System. For each possible intrusion, the system generates an event and an associated record in the database, which contains the date, time, type of exploit, access control policy and rule, intrusion policy and rule, and other contextual information about the source and target of the attack.
Tip For packet-based events, a copy of the packet or packets that triggered the event may also be available; see intrusion_event_packet Sample Query.
For more information, see the following sections:
intrusion_event Fields
The following table describes the database fields you can access in the intrusion_event
table.
|
|
---|---|
The access control policy associated with the intrusion policy that generated the intrusion event. Note that the access control policy name and access control rule name combination is unique for a Firepower Management Center. |
|
The UUID of the access control policy associated with the intrusion policy that generated the intrusion event. |
|
The internal identification number of the access control rule associated with the intrusion policy that generated the intrusion event. |
|
The name of the access control rule associated with the intrusion policy that generated the intrusion event. Note that the access control rule name is unique within a policy but not across different policies. |
|
The internal identification number of the application protocol. |
|
The value indicating what happened to the packet that triggered the intrusion event: |
|
The internal identification number of the client application that was used in the intrusion event. |
|
The client application, if available, that was used in the intrusion event. One of: |
|
UNIX timestamp (seconds since 00:00:00 01/01/1970) of the connection event associated with the intrusion event. |
|
Number that is incremented for each connection event in a given second, and is used to differentiate among multiple connection events that happen during the same second. |
|
Field deprecated in Version 5.0. Returns |
|
Field deprecated in Version 5.0. Returns |
|
UUID of the domain specified for the event. This is presented in binary. |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
A binary representation of the IPv4 or IPv6 address for the destination host involved in the triggering event. |
|
The internal identification number for the destination user; that is, the user who last logged into the destination host before the intrusion event occurred. |
|
The UNIX timestamp of the date and time when the system last reported a login for the destination user. |
|
The UNIX timestamp of the date and time when the system last updated the destination user’s record. |
|
The internal identification number for the event. Uniquely identifies an event on the Firepower Management Center. |
|
The UNIX timestamp of the date and time when the event packet was captured. |
|
The microsecond increment of the event timestamp. If microsecond resolution is not available, this value is |
|
ICMP code if the event is ICMP traffic, or |
|
ICMP type if the event is ICMP traffic, or |
|
Numerical ID of the Snort instance on the managed device that generated the event. |
|
A unique identifier for the intrusion policy that triggered the intrusion event. |
|
The network analysis policy associated with the intrusion policy that generated the intrusion event. |
|
The UUID of the network analysis policy associated with the intrusion policy that generated the intrusion event. |
|
The priority for the rule classification associated with the event. Rule priority is set in the user interface. |
|
The text name of the traffic protocol associated with the intrusion event. |
|
The IANA number of the protocol as listed in |
|
The description of the rule classification associated with the intrusion event, which usually describes the attack detected by the rule that triggered the event. For example: |
|
The identification number for the rule classification associated with the intrusion event. |
|
The component that generated the intrusion event. The generator can be either a rules engine, decoder, or preprocessor. |
|
The generator ID (GID) of the component named in |
|
Explanatory text for the event. For rule-based intrusion events, the message is generated from the rule. For decoder- and preprocessor-based events, the message is hard coded. |
|
The revision number of the rule associated with the intrusion event. |
|
The signature ID (SID) for the intrusion event. Identifies the specific rule, decoder message, or preprocessor message that caused the event to be generated. |
|
Description of the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
|
The egress security zone in the intrusion event that triggered the policy violation. |
|
The ingress security zone in the intrusion event that triggered the policy violation. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to |
|
A binary representation of the IPv4 or IPv6 address for the source host involved in the triggering event. |
|
The internal identification number for the source user; that is, the user who last logged into the source host before the intrusion event occurred. |
|
The UNIX timestamp of the date and time the system last reported a login for the source user. |
|
The UNIX timestamp of the date and time the source user’s record was last updated. |
|
The identification number of the innermost VLAN associated with the packet that triggered the intrusion event. |
|
The internal identification number of the web application that was used in the intrusion event, if applicable. |
|
The web application that was used in the intrusion event, if applicable. One of: |
intrusion_event Joins
The following table describes the joins you can perform on the intrusion_event
table.
intrusion_event Sample Query
The following query returns the 25 most common unreviewed intrusion event results, sorted in descending order based on Count
.
SELECT rule_message, priority, rule_classification, count(*) as Count
intrusion_event_packet
The intrusion_event_packet
table contains information on content of the packet or packets that triggered an intrusion event. Keep in mind if you prohibited packet transfer from your managed devices to the Firepower Management Center, the intrusion_event_packet
table contains no data.
For more information, see the following sections:
intrusion_event_packet Fields
The following table describes the database fields you can access in the intrusion_event_packet
table.
intrusion_event_packet Joins
You cannot perform joins on the intrusion_event_packet
table.
intrusion_event_packet Sample Query
The following query returns the packet information for all packets matching the selected event ID.
SELECT event_id, packet_time_sec, sensor_address, packet_data
rule_message
The rule_message
table is a list of the rule messages for intrusion rules. Each rule message is accompanied by its identifying information.
For more information, see the following sections:
rule_message Fields
The following table describes the database fields you can access in the rule_message
table.
|
|
---|---|
The rule identification number as it is rendered in the appliance user interface. |
|
rule_message Joins
rule_message Sample Query
The following query returns the intrusion rule message for the intrusion rule that has a GID of 1
and a SID of 1200
.