- Title Page for the Database Access Guide
- Introduction to Database Access
- Setting Up Database Access
- Schema � System-Level Tables
- Schema � Intrusion Event Tables
- Schema � Statistics Tracking Tables
- Schema � Discovery and Network Map Tables
- Schema � Connection Log Tables
- Schema � User Activity Tables
- Schema - Correlation Logs
- Schema � File Event Tables
- Appendix A: Deprecated Tables
- application_host_map
- application_info
- application_tag_map
- network_discovery_event
- rna_host
- rna_host_attribute
- rna_host_client_app
- rna_host_client_app_payload
- rna_host_ioc_state
- rna_host_ip_map
- rna_host_mac_map
- rna_host_os
- rna_host_os_vulns
- rna_host_protocol
- rna_host_sensor
- rna_host_service
- rna_host_service_banner
- rna_host_service_info
- rna_host_service_payload
- rna_host_service_subtype
- rna_host_service_vulns
- rna_host_third_party_vuln
- rna_host_third_party_vuln_bugtraq_id
- rna_host_third_party_vuln_cve_id
- rna_host_third_party_vuln_rna_id
- rna_vuln
- tag_info
- url_categories
- url_reputations
- user_ipaddr_history
Schema: Discovery Event and Network Map Tables
This chapter contains information on the schema and supported joins for tables related to discovery events and the Cisco network map.
Your FireSIGHT System generates discovery events continuously as it monitors the traffic produced by your hosts and network devices.
The network map is a repository of information about the network assets reported in discovery events. For each detected host and network device, the network map contains information such as operating system, servers, client applications, host attributes, vulnerabilities, and so on.
Vulnerabilities are descriptions of specific compromises or exploits to which hosts may be susceptible. Cisco maintains its own vulnerability database (VDB), which cross-references the Bugtraq database and MITRE’s CVE database. You can also import third-party vulnerability data using the host input feature.
Note that the information about a given host in the network map can vary according to the type of host and the information available in the monitored traffic.
For more information, see the sections listed in the following table. The Version column indicates the FireSIGHT System versions that support each table. While support for deprecated tables continues in the current product release, Cisco strongly recommends avoiding the use of deprecated tables and fields, to ensure continued support in the future.
|
|
|
---|---|---|
Applications detected on the hosts in your monitored network. |
||
The category, tags, productivity, and risk associated with an application detected in your monitored network. |
||
The category, tags, productivity, and risk associated with an application detected in your monitored network. deprecated in Version 5.2. Superseded by |
||
The tags associated with an application detected in your monitored network. |
||
The host attributes associated with each host in your monitored network. |
||
The client applications detected on the hosts in your monitored network. |
||
The payloads associated with HTTP (web browser) client applications detected on the hosts in your monitored network. |
||
Correlates host IDs to MAC addresses for hosts in your monitored network. |
||
The operating systems detected on the hosts in your monitored network. |
||
The vulnerabilities associated with the hosts in your monitored network. |
||
The protocols detected on the hosts in your monitored network. |
||
The hosts in your monitored network with regard to the managed device that detected them. |
||
The services detected on the hosts in your monitored network. |
||
Headers from network traffic that advertise service vendors and versions (“banners”) for the services detected on hosts in your monitored network. |
||
Details of the services detected on the hosts in your monitored network. |
||
The payloads associated with services detected on the hosts in your monitored network. |
||
The sub-services for the services detected on the hosts in your monitored network. |
||
The vulnerabilities associated with the services detected on the hosts in your monitored network. |
||
The third-party vulnerabilities associated with the hosts in your monitored network. |
||
The third-party vulnerabilities associated with the hosts in your monitored network that are also associated with a vulnerability in the Bugtraq database ( |
||
The third-party vulnerabilities associated with the hosts in your monitored network that are also associated with a vulnerability in MITRE’s CVE database. ( |
||
The third-party vulnerabilities associated with the hosts in your monitored network that are also associated with a vulnerability in the VDB. |
||
Basic information on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The client applications detected on the hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The payloads associated with HTTP (web browser) client applications detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The operating systems detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The vulnerabilities associated with the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The IP hosts in your monitored network with regard to the managed device that detected them. deprecated in Version 5.2. Superseded by |
||
The services detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
Headers from network traffic that advertise service vendors and versions (“banners”) for the services detected on hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
Details of the services detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The payloads associated with services detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The sub-services for the services detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The vulnerabilities associated with the services detected on the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The third-party vulnerabilities associated with the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The third-party vulnerabilities associated with the IP hosts in your monitored network that are also associated with a vulnerability in the Bugtraq database ( deprecated in Version 5.2. Superseded by |
||
The third-party vulnerabilities associated with the IP hosts in your monitored network that are also associated with a vulnerability in MITRE’s CVE database. ( deprecated in Version 5.2. Superseded by |
||
The third-party vulnerabilities associated with the IP hosts in your monitored network that are also associated with a vulnerability in the VDB. deprecated in Version 5.2. Superseded by |
||
User activity for a particular IP host in your monitored network. deprecated in Version 5.2. Superseded by |
||
The MAC hosts (hosts without an IP address) in your monitored network. |
||
The IP hosts in your monitored network with regard to the managed devices that detected them. |
||
The MAC addresses of the IP hosts in your monitored network. deprecated in Version 5.2. Superseded by |
||
The categories that characterize URLs accessed from hosts in your monitored network. |
||
The reputations that characterize URLs accessed from hosts in your monitored network. |
||
User activity for a particular host in your monitored network. |
application_host_map
The application_host_map
table contains information on the categories and tags associated with each application detected on your network.
For more information, see the following sections:
application_host_map Fields
The following table describes the fields you can access in the application_host_map
table.
application_host_map Joins
The following table describes the joins you can perform on the application_host_map
table.
application_host_map Sample Query
The following query returns information about the applications detected on the host with a host_id
of 8
.
SELECT host_id, application_id, application_name, business_relevance, risk
application_info
The application_info
table contains information about the applications that can be detected on the hosts in your monitored network.
You can retrieve the list of tags associated with an application from the application_tag_map
table by joining on application_id
. Similarly, you can retrieve an application’s list of associated categories from the application_host_map
by joining on application_id
.
For more information, see the following sections:
application_info Fields
The following table describes the fields you can access in the application_info
table.
application_info Joins
The following table describes the joins you can perform on the application_info
table.
application_info Sample Query
The following query returns the record for the application with a host_id
of 8
.
SELECT application_id, application_name, application_description, business_relevance, risk
application_tag_map
The application_tag_map
table contains information on the tags associated with each application detected on your network.
For more information, see the following sections:
application_tag_map Fields
The following table describes the fields you can access in the application_tag_map
table.
|
|
---|---|
application_tag_map Joins
The following table describes the joins you can perform on the application_tag_map
table.
application_tag_map Sample Query
The following query returns all tag records associated with the specified application.
network_discovery_event
The network_discovery_event
table contains information on discovery and host input events. The FireSIGHT System generates discovery events when it detects a change on your monitored network, whether by discovering new network features or by detecting changes in previously identified network assets. The FireSIGHT System generates host input events when a user manually modifies the network map by adding, modifying, or deleting network assets.
The network_discovery_event
table supersedes the deprecated rna_events
table starting with Version 5.0 of the FireSIGHT System.
For more information, see the following sections:
network_discovery_event Fields
The following table describes the fields you can access in the network_discovery_event
table.
network_discovery_event Joins
The following table describes the joins you can perform using the network_discovery_event
table.
|
|
---|---|
network_discovery_event Sample Query
The following query returns discovery event records that include the user, detecting device name, timestamp, host IP address, and so on within the specified times.
SELECT sensor_name, event_time_sec, event_time_usec, event_type, ipaddr, user_id,
hex(mac_address), mac_vendor, port, confidence FROM network_discovery_event
BETWEEN UNIX_TIMESTAMP("2013-01-01 00:00:00") AND UNIX_TIMESTAMP("2013-01-01 23:59:59")
rna_host
The rna_host
table contains basic information on the hosts in your monitored network.
This table supersedes rna_ip_host
as of Version 5.2.
For more information, see the following sections:
rna_host Fields
The following table describes the fields you can access in the rna_host
table.
rna_host Joins
The following table describes the joins you can perform on the rna_host
table.
rna_host Sample Query
The following query returns 25 rna_host
records that include the host ID, VLAN ID, when the host was last seen, and the type of host, ordered by the type of host.
rna_host_attribute
The rna_host_attribute
table contains information on the host attributes associated with each host in your monitored network. It supersedes the deprecated rna_ip_host_attribute
table.
For more information, see the following sections:
rna_host_attribute Fields
The following table describes the fields you can access in the rna_host_attribute
table.
|
|
---|---|
The host attribute. For example, |
|
rna_host_attribute Joins
The following table describes the joins you can perform on the rna_host_attribute
table.
rna_host_attribute Sample Query
The following query returns all host attributes and values associated with the selected host ID.
rna_host_client_app
The rna_host_client_app
table contains information on the client applications detected on the hosts in your monitored network. It supersedes the deprecated rna_ip_host_client_app
table.
For more information, see the following sections:
rna_host_client_app Fields
The following table describes the fields you can access in the rna_host_client_app
table.
rna_host_client_app Joins
The following table describes the joins you can perform on the rna_host_client_app
table.
rna_host_client_app Sample Query
The following query returns information about the client applications detected on the host with host_id
of 8
.
SELECT host_id, client_application_id, client_application_name, version, hits, application_protocol_id, application_protocol_name, last_used_sec
rna_host_client_app_payload
The rna_host_client_app_payload
table contains information on the payloads in HTTP traffic associated with web applications on hosts detected in your monitored network.
For more information, see the following sections:
-
rna_host_client_app_payload Fields
-
rna_host_client_app_payload Joins
-
rna_host_client_app_payload Sample Query
rna_host_client_app_payload Fields
The following table describes the fields you can access in the rna_host_client_app_payload
table.
rna_host_client_app_payload Joins
The following table describes the joins you can perform on the rna_host_client_app_payload
table.
rna_host_client_app_payload Sample Query
The following query returns information about the web applications detected on the host with host_id
of 8
.
SELECT host_id, web_application_id, web_application_name, version, client_application_id, client_application_name
rna_host_ioc_state
The rna_host_ioc_state
table stores the IOC state for hosts in your monitored network.
For more information, see the following sections:
rna_host_ioc_state Fields
The following table describes the fields you can access in the rna_host_ioc_state
table.
rna_host_ioc_state Joins
The following table describes the joins you can perform on the rna_host_ioc_state
table.
rna_host_ioc_state Sample Query
The following query returns up to 25 hosts with their ioc within a specified timespan.
BETWEEN UNIX_TIMESTAMP("2011-10-01 00:00:00")
rna_host_ip_map
The rna_host_ip_map
table correlates host IDs to IP addresses for hosts in your monitored network.
For more information, see the following sections:
rna_host_ip_map Fields
The following table describes the fields you can access in the rna_host_ip_map
table.
|
|
---|---|
rna_host_ip_map Joins
The following table describes the joins you can perform on the rna_host_ip_map
table.
rna_host_ip_map Sample Query
The following query returns MAC information for the selected host.
rna_host_mac_map
The rna_host_mac_map
table correlates host IDs to MAC addresses for hosts in your monitored network.
For more information, see the following sections:
rna_host_mac_map Fields
The following table describes the fields you can access in the rna_host_mac_map
table.
|
|
---|---|
rna_host_mac_map Joins
The following table describes the joins you can perform on the rna_host_mac_map
table.
rna_host_mac_map Sample Query
The following query returns MAC information for the host with host_id
of 8
.
rna_host_os
The rna_host_os
table contains information on the operating systems detected on the hosts in your monitored network.
For more information, see the following sections:
rna_host_os Fields
The following table describes the fields you can access in the rna_host_os
table.
rna_host_os Joins
The following table describes the joins you can perform on the rna_host_os
table.
rna_host_os Sample Query
The following query returns operating system information for the host with host_id
of 8
.
rna_host_os_vulns
The rna_host_os_vulns
table contains information on the vulnerabilities associated with the hosts in your monitored network.
For more information, see the following sections:
rna_host_os_vulns Fields
The following table describes the fields you can access in the rna_host_os_vulns
table.
|
|
---|---|
A value indicating whether the vulnerability is valid for the host: |
|
rna_host_os_vulns Joins
The following table describes the joins you can perform on the rna_host_os_vulns
table.
rna_host_os_vulns Sample Query
The following query returns the operating system vulnerabilities for the host with host_id
of 8
.
rna_host_protocol
The rna_host_protocol
table contains information on the protocols detected on the hosts in your monitored network.
For more information, see the following sections:
rna_host_protocol Fields
The following table describes the fields you can access in the rna_host_protocol
table.
rna_host_protocol Joins
The following table describes the joins you can perform on the rna_host_protocol
table.
rna_host_protocol Sample Query
The following query returns all protocol records for the host with host_id
of 8
.
rna_host_sensor
The rna_host_sensor
table lists the host IP addresses in your monitored network and indicates the managed device that detected each one.
The rna_host_sensor
table supersedes the deprecated rna_ip_host_sensor
table starting with Version 5.2 of the FireSIGHT System.
For more information, see the following sections:
rna_host_sensor Fields
The following table describes the fields you can access in the rna_host_sensor
table.
rna_host_sensor Joins
The following table describes the joins you can perform on the rna_host_sensor
table.
rna_host_sensor Sample Query
The following query returns up to 25 hosts, and the sensor that detected them, from the rna_host_sensor
table.
rna_host_service
The rna_host_service
table contains general information about the servers detected on the hosts in your managed network through network port and traffic protocol combinations.
For more information, see the following sections:
rna_host_service Fields
The following table describes the fields you can access in the rna_host_service
table.
|
|
---|---|
The FireSIGHT System-assigned confidence rating (from |
|
UNIX timestamp of the date and time the system last detected server activity. |
|
rna_host_service Joins
The following table describes the joins you can perform on the rna_host_service
table.
rna_host_service Sample Query
The following query returns the first 25 detected server records for the host with host_id
of 8
:
SELECT hits, protocol, port, confidence
rna_host_service_banner
The rna_ip_host_service_banner
table contains header information from network traffic that advertises vendors and versions (“banners”) for the servers on hosts in your monitored network. Keep in mind that the FireSIGHT System does not store server banners unless you enable the Capture Banners option in the your network discovery policy.
For more information, see the following sections:
-
rna_ip_host_service_banner Fields
-
rna_host_service_banner Joins
-
rna_host_service_banner Sample Query
rna_ip_host_service_banner Fields
The following table describes the fields you can access in the rna_host_service_banner
table.
|
|
---|---|
The server banner, that is, the first 256 bytes of the first packet detected for the server. |
|
rna_host_service_banner Joins
The following table describes the joins you can perform on the rna_host_service_banner
table.
rna_host_service_banner Sample Query
The following query returns the server banner for the host with host_id
of 8
.
rna_host_service_info
The rna_host_service_info
table contains detailed information about the servers detected on the hosts in your monitored network.
For more information, see the following sections:
rna_host_service_info Fields
The following table describes the fields you can access in the rna_host_service_info
table.
rna_host_service_info Joins
The following table describes the joins you can perform on the rna_host_service_info
table.
rna_host_service_info Sample Query
The following query returns information about the application protocols detected on the host with host_id
of 8
.
SELECT host_id, application_protocol_name, version, vendor, created_sec, last_used_sec, business_relevance, risk
rna_host_service_payload
The rna_host_service_payload
table contains information on the web applications associated by the hosts in your monitored network.
For more information, see the following sections:
-
rna_host_service_payload Fields
-
rna_host_service_payload Joins
-
rna_host_service_payload Sample Query
rna_host_service_payload Fields
The following table describes the fields you can access in the rna_host_service_payload
table.
rna_host_service_payload Joins
The following table describes the joins you can perform on the rna_host_service_payload
table.
rna_host_service_payload Sample Query
The following query returns information about the web applications detected on the host with host_id
of 8
.
SELECT host_id, web_application_id, web_application_name, port, protocol
rna_host_service_subtype
The rna_host_service_subtype
table contains information on the sub-servers for a server detected on the hosts in your monitored network.
For more information, see the following sections:
-
rna_host_service_subtype Fields
-
rna_host_service_subtype Joins
-
rna_host_service_subtype Sample Query
rna_host_service_subtype Fields
The following table describes the fields you can access in the rna_host_service_subtype
table.
rna_host_service_subtype Joins
You cannot perform joins on the rna_host_service_subtype
table.
rna_host_service_subtype Sample Query
The following query returns all detected sub-server records for the host with host_id
of 8
.
SELECT host_id, service_name, version, sub_service_name, sub_service_version, sub_service_vendor
rna_host_service_vulns
The rna_host_service_vulns
table contains information on the vulnerabilities mapped to the servers detected on the hosts in your monitored network.
For more information, see the following sections:
rna_host_service_vulns Fields
The following table describes the fields you can access in the rna_host_service_vulns
table.
rna_host_service_vulns Joins
The following table describes the joins you can perform on the rna_host_service_vulns
table.
rna_host_service_vulns Sample Query
The following query returns information about all server vulnerabilities for the host with host_id
of 8
.
SELECT host_id, rna_vuln_id, vendor, service_name, version, invalid FROM rna_host_service_vulns
rna_host_third_party_vuln
The rna_host_third_party_vuln
table contains information on the third-party vulnerabilities associated with the hosts in your monitored network. Note that the information in this table is determined by the third-party vulnerability data imported via the host input feature.
For more information, see the following sections:
-
rna_host_third_party_vuln Fields
-
rna_host_third_party_vuln Joins
-
rna_host_third_party_vuln Sample Query
rna_host_third_party_vuln Fields
The following table describes the fields you can access in the rna_host_third_party_vuln
table.
rna_host_third_party_vuln Joins
The following table describes the joins you can perform on the rna_host_third_party_vuln
table.
rna_host_third_party_vuln Sample Query
The following query returns information about the third party vulnerabilities for host with host_id
of 8
.
SELECT host_id, third_party_vuln_id, name, description, source, invalid
rna_host_third_party_vuln_bugtraq_id
The rna_host_third_party_vuln_bugtraq_id
table contains information on the third-party vulnerabilities that are mapped to vulnerabilities in the Bugtraq database and also associated with hosts in your monitored network. Note that the third-party vulnerability data in this table is imported via the host input feature.
For more information, see the following sections:
-
rna_host_third_party_vuln_bugtraq_id Fields
-
rna_host_third_party_vuln_bugtraq_id Joins
-
rna_host_third_party_vuln_bugtraq_id Sample Query
rna_host_third_party_vuln_bugtraq_id Fields
The following table describes the fields you can access in the rna_host_third_party_vuln_bugtraq_id
table.
rna_host_third_party_vuln_bugtraq_id Joins
The following table describes the joins you can perform on the rna_host_third_party_vuln_bugtraq_id
table.
rna_host_third_party_vuln_bugtraq_id Sample Query
The following query returns the BugTraq vulnerabilities for the host with host_id
of 8
.
SELECT host_id, third_party_vuln_id, bugtraq_id, name, description, source, invalid
rna_host_third_party_vuln_cve_id
The rna_host_third_party_vuln_cve_id
table contains information on the third-party vulnerabilities that are mapped to vulnerabilities in MITRE’s CVE database and also associated with the hosts in your monitored network. Note that this table contains third-party vulnerability data imported via the host input feature.
For more information, see the following sections:
-
rna_host_third_party_vuln_cve_id Fields
-
rna_host_third_party_vuln_cve_id Joins
-
rna_host_third_party_vuln_cve_id Sample Query
rna_host_third_party_vuln_cve_id Fields
The following table describes the fields you can access in the rna_host_third_party_vuln_cve_id
table.
rna_host_third_party_vuln_cve_id Joins
The following table describes the joins you can perform on the rna_host_third_party_vuln_cve_id
table.
rna_host_third_party_vuln_cve_id Sample Query
The following query returns the CVE vulnerabilities for the host with host_id
of 8
.
SELECT host_id, third_party_vuln_id, cve_id, name, description, source, invalid
rna_host_third_party_vuln_rna_id
The rna_host_third_party_vuln_rna_id
table contains information on third-party vulnerabilities that are mapped to vulnerabilities in the Cisco vulnerability database (VDB) and also associated with hosts in your monitored network. Note that the third-party vulnerability data in this table is imported via the host input feature.
For more information, see the following sections:
-
rna_host_third_party_vuln_rna_id Fields
-
rna_host_third_party_vuln_rna_id Joins
-
rna_host_third_party_vuln_rna_id Sample Query
rna_host_third_party_vuln_rna_id Fields
The following table describes the fields you can access in the rna_host_third_party_vuln_rna_id
table.
rna_host_third_party_vuln_rna_id Joins
The following table describes the joins you can perform on the rna_host_third_party_vuln_rna_id
table.
rna_host_third_party_vuln_rna_id Sample Query
The following query returns all third party vulnerabilities with VDB IDs for the host with host_id
of 8
.
SELECT host_id, third_party_vuln_id, rna_vuln_id, name, description, source, invalid
rna_vuln
The rna_vuln
table contains information on the vulnerabilities in the Cisco VDB.
For more information, see the following sections:
rna_vuln Fields
The following table describes the fields you can access in the rna_vuln
table.
rna_vuln Joins
The following table describes the joins you can perform on the rna_vuln
table.
rna_vuln Sample Query
The following query returns information about up to 25 vulnerabilities. The records are sorted in order of most events generated based on the vulnerability.
SELECT rna_vuln_id, bugtraq_id, snort_id, title, publish_date, impact, remote, exploit, long_description, technical_description, solution, count(*) as count
tag_info
The tag_info
table contains information on the tags that are associated with the applications detected on your network. Note that an application can have multiple associated tags.
For more information, see the following sections:
tag_info Fields
The following table describes the fields you can access in the tag_info
table.
|
|
---|---|
tag_info Joins
The following table describes the joins you can perform on the tag_info
table.
|
|
---|---|
tag_info Sample Query
The following query returns the application tag record for a selected tag ID.
url_categories
The url_categories
table lists the categories that characterize URLs requested by hosts in your monitored network.
For more information, see the following sections:
url_categories Fields
The following table describes the fields in the url_categories
table.
|
|
---|---|
url_categories Joins
url_categories Sample Query
The following query returns a category record for the selected category ID.
url_reputations
The url_reputations
table lists the reputations that characterize URLs requested by hosts in your monitored request.
For more information, see the following sections:
url_reputations Fields
The following table describes the fields in the url_reputations
table.
|
|
---|---|
url_reputations Joins
url_reputations Sample Query
The following query returns URL reputation information for a reputation ID.
user_ipaddr_history
The user_ipaddr_history
table contains information on user activity for a particular host in your monitored network.
For more information, see the following sections:
user_ipaddr_history Fields
The following table describes the fields you can access in the user_ipaddr_history
table.
user_ipaddr_history Joins
The following table describes the joins you can perform on the user_ipaddr_history
table.
user_ipaddr_history Sample Query
The following query returns all user activity records for the selected IP address after the specified start timestamp.
SELECT ipaddr, start_time_sec, end_time_sec, user_name, user_rna_service, user_last_seen_sec, user_last_updated_sec
WHERE HEX(ipaddr) = "00000000000000000000FFFF0A0A0A04" AND start_time_sec >= UNIX_TIMESTAMP("2011-10-01 00:00:00");