Secure Firewall Management Center Database Access Guide v7.3

action_time_sec

The UNIX timestamp of the date and time the appliance generated the audit record.

domain_name

Name of the domain in which the user logged in.

domain_uuid

UUID of the domain in which the user logged in. This is expressed in binary.

message

The action the user performed.

source

The IP address of the web interface user’s host, in dotted-decimal notation.

subsystem

The menu path the user followed to generate the audit record.

user

The user name of the user who triggered the audit event.

application_id

ID number that maps to the application performing the file transfer.

application_name

Name of the application performing the transfer.

cert_valid_end_date

The Unix timestamp on which the SSL certificate used in the connection ceases to be valid.

cert_valid_start_date

The Unix timestamp when the SSL certificate used in the connection was issued.

client_application_id

The internal identification number for the client application, if applicable.

client_application_name

The name of the client application, if applicable.

cloud_name

The name of the cloud service from which the malware event originated. Each cloud_name value has an associated cloud_uuid value.

cloud_uuid

The internal unique ID of the cloud service from which the malware event originated. Each cloud_uuid value has an associated cloud_name value.

connection_sec

UNIX timestamp (seconds since 00:00:00 01/01/1970) of the connection event associated with the malware event.

counter

Specific counter for the event, used to distinguish among multiple events that happened during the same second.

detection_name

The name of the detected or quarantined malware.

detector_type

The detector that detected the malware. Each detector_type value has an associated detector_type_id. The possible display values and the associated IDs are:

• ClamAV — 128
• ETHOS — 8
• SPERO — 32
• SHA — 4
• Tetra — 64

detector_type_id

The internal ID of the detection technology that detected the malware. Each detector_type_id value has an associated detector_type value. The possible display values and the associated types are:

• 4 — SHA
• 8 — ETHOS
• 32 — SPERO
• 64 — Tetra
• 128 — ClamAV

direction

Value that indicates whether the file was uploaded or downloaded. Can have the following values:

• Download
• Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

disposition

The malware status of the file. Possible values include:

• CLEAN — The file is clean and does not contain malware.
• UNKNOWN — It is unknown whether the file contains malware.
• MALWARE — The file contains malware.
• UNAVAILABLE — The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.
• CUSTOM SIGNATURE — The file matches a user-defined hash, and is treated in a fashion designated by the user.

domain_name

Name of the domain in which the event was detected.

domain_uuid

UUID of the domain in which the event was detected. This is expressed in binary.

dst_continent_name

The name of the continent of the destination host.

** — Unknown

na — North America

as — Asia

af — Africa

eu — Europe

sa — South America

au — Australia

an — Antarctica

dst_country_id

Code for the country of the destination host.

dst_country_name

Name of the country of the destination host.

dst_ip_address_v6

This field has been deprecated and will now return null.

dst_ipaddr

A binary representation of the IPv4 or IPv6 address for the destination of the connection.

dst_ipaddr_str

The IP address of the destination of the connection in a human-readable format.

dst_port

Port number for the destination of the connection.

endpoint_user

The user determined by the Cisco AMP for Endpoints agent if the event was detected by the Cisco cloud. This user is not associated with LDAP and does not appear in the discovered_users table.

event_description

The additional event information associated with the event type.

event_id

The internal unique ID of the malware event.

event_subtype

The action that led to malware detection. Each event_subtype value has an associated event_subtype_id value. The possible display values and the associated IDs are:

• Create — 1
• Execute — 2
• Move — 22
• Scan — 4

event_subtype_id

The internal ID of the action that led to malware detection. Each event_subtype_id value has an associated event_subtype value. The possible display values and the associated subtypes are:

• 1 — Create
• 2 — Execute
• 4 — Scan
• 22 — Move

event_type

The type of malware event. Each event_type value has an associated event_type_id value. The possible display values and the associated IDs are:

• Blocked Execution — 553648168
• Cloud Recall Quarantine — 553648155
• Cloud Recall Quarantine Attempt Failed — 2164260893
• Cloud Recall Quarantine Started — 553648147
• Cloud Recall Restore from Quarantine — 553648154
• Cloud Recall Restore from Quarantine Failed — 2164260892
• Cloud Recall Restore from Quarantine Started — 553648146
• FireAMP IOC — 1107296256
• Quarantine Failure — 2164260880
• Quarantined Item Restored — 553648149
• Quarantine Restore Failed — 2164260884
• Quarantine Restore Started — 553648150
• Scan Completed, No Detections — 554696715
• Scan Completed With Detections — 1091567628
• Scan Failed — 2165309453
• Scan Started — 554696714
• Threat Detected — 1090519054
• Threat Detected in Exclusion — 553648145
• Threat Detected in Network File Transfer — 1
• Threat Detected in Network File Transfer (Retrospective) — 2
• Threat Quarantined — 553648143

event_type_id

The internal ID of the malware event type. Each event_type_id value has an associated event_type value. The possible display values and the associated types are:

• 553648143 — Threat Quarantined
• 553648145 — Threat Detected in Exclusion
• 553648146 — Cloud Recall Restore from Quarantine Started
• 553648147 — Cloud Recall Quarantine Started
• 553648149 — Quarantined Item Restored
• 553648150 — Quarantine Restore Started
• 553648154 — Cloud Recall Restore from Quarantine
• 553648155 — Cloud Recall Quarantine
• 553648168 — Blocked Execution
• 554696714 — Scan Started
• 554696715 — Scan Completed, No Detections
• 1090519054 — Threat Detected
• 1091567628 — Scan Completed With Detections
• 1107296256 — FireAMP IOC
• 2164260880 — Quarantine Failure
• 2164260893 — Cloud Recall Quarantine Attempt Failed
• 2164260884 — Quarantine Restore Failed
• 2164260892 — Cloud Recall Restore from Quarantine Failed
• 2165309453 — Scan Failed

file_name

The name of the detected or quarantined file. This name can contain UTF-8 characters.

file_path

The file path, not including the file name, of the detected or quarantined file. This path can contain UTF-8 characters.

file_sha

The SHA-256 hash value of the detected or quarantined file.

file_size

The size in bytes of the detected or quarantined file.

file_timestamp

The creation timestamp of the detected or quarantined file.

file_type

The file type of the detected or quarantined file.

file_type_id

The internal ID of the file type of the detected or quarantined file.

http_response_code

The response code given to the HTTP request in the event.

instance_id

Numerical ID of the Snort instance on the managed device that generated the event.

ioc_count

Number of indications of compromise found in the event.

parent_file_name

The name of the file accessing the detected or quarantined file when detection occurred.

parent_file_sha

The SHA-256 hash value of the parent file accessing the detected or quarantined file when detection occurred.

policy_uuid

Identification number that acts as a unique identifier for the access control policy that triggered the event.

retroactive_
disposition

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the disposition field. The possible values are the same as the disposition field.

score

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

security_context

Description of the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.

sensor_address

IP address of the device that generated the event.

sensor_id

ID of the device that generated the event.

sensor_name

The text name of the managed device that generated the event record. This field is null when the event refers to the reporting device itself, rather than to a connected device.

sensor_uuid

A unique identifier for the managed device, or 0 if fireamp_event.sensor_name is null.

src_continent_name

The name of the continent of the source host.

** — Unknown

na — North America

as — Asia

af — Africa

eu — Europe

sa — South America

au — Australia

an — Antarctica

src_country_id

Code for the country of the source host.

src_country_name

Name of the country of the source host.

src_ip_address_v6

Field deprecated in Version 5.2. Returns null for all queries.

src_ipaddr

A binary representation of the IPv4 or IPv6 address for the source of the connection.

src_ipaddr_str

The IP address of the source of the connection in a human-readable format.

src_port

Port number for the source of the connection.

ssl_issuer_common_name

Issuer Common Name from the SSL certificate. This is typically the host and domain name of the certificate issuer, but may contain other information.

ssl_issuer_country

The country of the SSL certificate issuer.

ssl_issuer_organization

The organization of the SSL certificate issuer.

ssl_issuer_organization_unit

The organizational unit of the SSL certificate issuer.

ssl_serial_number

The serial number of the SSL certificate, assigned by the issuing CA.

ssl_subject_common_name

Subject Common name from the SSL certificate This is typically the host and domain name of the certificate subject, but may contain other information.

ssl_subject_country

The country of the SSL certificate subject.

ssl_subject_organization

The organization of the SSL certificate subject.

ssl_subject_organization_unit

The organizational unit of the SSL certificate subject.

threat_name

Name of the threat.

timestamp

The malware event generation timestamp.

timestamp_str

The date and time when the malware event was generated in human-readable format of Year-Month-Day Time. For example, February 4th, 2022 is 2022-02-04 20:18:58.

url

The URL of the source of the connection.

user_id

An internal identification number for the user who last logged into the host that sent or received the file. This user is in the discovered_users table.

username

The name of the user who last logged into the host that sent or received the file.

web_application_id

The internal identification number for the web application, if applicable.

web_application_name

Name of the web application, if applicable.

description

The description of the condition that caused the associated health module to generate the health event. For example, health events generated when a process was unable to execute are labeled Unable to Execute.

domain_name

Name of the domain in which the event was detected.

domain_uuid

UUID of the domain in which the event was detected. This is presented in binary.

event_time_sec

The UNIX timestamp of the date and time the Secure Firewall Management Center generated the health event.

id

The internal identification number for the event.

module_name

The name of the health module that generated the event.

sensor_name

The text name of the managed device that generated the event record. This field is null when the health event refers to the reporting device itself, rather than to a connected one.

sensor_uuid

A unique identifier for the managed device, or zero if sensor_name is null.

status

The health monitor status that has been reported for the appliance identified in sensor_uuid. Values are:

• red — Critical status. Limits have been exceeded for at least one health module on the appliance and the problem has not been corrected.
• yellow — Warning status. Limits have been exceeded for at least one health module on the appliance and the problem has not been corrected.
• green — Normal status. All health modules on the appliance are running within the limits configured in the health policy applied to the appliance.
• recovered — All health modules on the appliance are running within the limits configured in the health policy applied to the appliance, including modules that were in a Critical or Warning state.
• disabled — Either the appliance is disabled or on a block list, or is currently unreachable, or has no health policy applied to it.
• error — At least one health monitoring module has failed on the appliance and has not been successfully re-run since the failure occurred

units

The unit of measure for results obtained by the health test. For example, % (of Disk Usage).

value

The number of units of the result obtained by the health test. For example, the value of 80% is 80.

client_ipaddr

IP address of the client which generated the syslog message, if applicable.

domain_name

Name of the domain in which the event was detected.

domain_uuid

UUID of the domain in which the event was detected. This is presented in binary.

event_time

The UNIX timestamp of the date and time the Secure Firewall Management Center generated the syslog event.

netmap_num

Netmap ID for the domain on which the event was generated.

sensor_address

The address of the sensor which generated the event.

sensor_name

The text name of the managed device that generated the event record.

sensor_uuid

A unique identifier for the managed device, or zero if sensor_name is null.

syslog_id

ID number of the syslog.

syslog_message

Contents of the syslog message.

syslog_message_class

Syslog message class.

syslog_message_id

ID number of the syslog message.

syslog_message_severity_type

Syslog severity level. Possible values are 1 through 7.

username