- Title page for the Database Access Guide
- Introduction to Database Access
- Setting Up Database Access
- Schema - System-Level Tables
- Schema - Intrusion Event Tables
- Schema - Statistics Tracking Tables
- Schema - Discovery and Network Map Tables
- Schema - Connection Log Tables
- Schema - User Activity Tables
- Schema - Correlation Logs
- Schema - File Event Tables
- Deprecated Tables
- Index
Schema: Correlation Tables
This chapter contains information on the schema and supported joins for correlation-related events, including remediation status and allow list events. For more information, see the sections listed in the following table.
compliance_event
The compliance_event
table contains information about the correlation events that your Firepower Management Center generates.
For more information, see the following sections:
compliance_event Fields
Keep in mind that many of the fields in the table can be blank, depending on what type of event triggered the correlation rule. For example, if the Firepower Management Center generates a correlation event because the system detects a specific application protocol or web application running on a specific port, that correlation event does not include intrusion-related information. Fields in this table can also be blank depending on your Firepower System configuration. For example, if you do not have a Control license, correlation events do not include user identity information.
Note that starting in Version 5.0, the Firepower System records the detection of network and user activity at the managed device level, rather than by detection engine. The detection_engine_name
and detection_engine_uuid
fields in the compliance_event
table now return only blanks, and queries that join on those fields return zero records. You must query on the sensor_uuid
field instead of detection_engine_uuid
for information about the location of an event’s detection.
The following table describes the fields you can access in the compliance_event
table.
compliance_event Joins
The following table describes the joins you can perform on the compliance_event
table.
|
|
---|---|
compliance_event Sample Query
The following query returns up to 25 correlation event records from a week, with event information such as the event time, source and destination IP addresses, source and destination ports, policy information, and so on.
SELECT event_id, policy_time_sec, impact, blocked, src_ipaddr, dst_ipaddr, src_port, dst_port, description, policy_name, policy_rule_name, priority, src_host_criticality, dst_host_criticality, security_zone_egress_name, security_zone_ingress_name, sensor_name, interface_egress_name, interface_ingress_name
FROM compliance_event WHERE event_type!="whitelist"
BETWEEN UNIX_TIMESTAMP("2011-10-01 00:00:00")
AND UNIX_TIMESTAMP("2011-10-07 23:59:59")
remediation_status
The remediation_status
table contains information about remediation events, which are generated when the Firepower Management Center launches a remediation in response to a correlation policy violation.
For more information, see the following sections:
remediation_status Fields
The following table describes the database fields you can access in the remediation_status
table.
remediation_status Joins
remediation_status Sample Query
The following query returns up to 25 records generated before a given date. These records include remediation status information such as the remediation timestamp, the status message, and so on.
SELECT policy_time_sec, remediation_time_sec, remediation_name, policy_name, policy_rule_name, status_text
FROM remediation_status WHERE remediation_time_sec <= UNIX_TIMESTAMP("2011-10-01 00:00:00")
white_list_event
The white_list_event
table contains allow list events that are generated when the system detects a host not compliant with a allow list in an active allow list compliance policy.
Note that starting in Version 5.0, the Firepower System records the detection of network and user activity at the managed device level, no longer by detection engine. The detection_engine_name
and detection_engine_uuid
fields in the white_list_event
table now return only null
, and queries that join on those fields return zero records. Querying on the sensor_uuid
field instead of detection_engine_uuid
provides the equivalent information.
For more information, see the following sections:
white_list_event Fields
The following table describes the database fields you can access in the white_list_event
table.
white_list_event Joins
The following table describes the joins you can perform on the white_list_event
table.
|
|
---|---|
white_list_event Sample Query
The following query returns up to 25 records generated before a specified time. The records include allow list event information such as the compliance policy name, timestamp the event was generated, allow list name, and so on.
SELECT policy_name, policy_time_sec, ipaddr, user_name, port, description, white_list_name, priority, host_criticality, sensor_name
FROM white_list_event WHERE policy_time_sec <= UNIX_TIMESTAMP("2011-10-01 00:00:00")
white_list_violation
The white_list_violation
table track compliance allow list violations, which track the ways that the hosts on your network violate the compliance allow lists in active compliance policies.
For more information, see the following sections:
white_list_violation Fields
The following table describes the database fields you can access in the white_list_violation
table.
white_list_violation Joins
white_list_violation Sample Query
The following query returns up to 25 records with allow list violation information such as the host IP address violating the allow list, the violated allow list name, and the count of violations.
SELECT host_id, white_list_name, count(*)