Schema - Intrusion Event Tables

intrusion_event
intrusion_event_packet
rule_message

Schema: Intrusion Tables

This chapter contains information on the schema and supported joins for intrusion events, the packets that triggered the events, and the associated rule messages.

For more information, see the sections listed in the following table.

Table 4-1 Schema for Intrusion Tables
See...	For the table that stores information on...	Version
intrusion_event	Intrusion events, which include the date, time, type of exploit, and contextual information about the source and target of an attack.	4.10.x+
intrusion_event_packet	The content of the packet or packets that triggered an intrusion event.	4.10.x+
rule_message	Rule messages for intrusion events, including the associated generator ID (GID), signature ID (SID), and version data.	4.10.x+
	Information on rules, including the attack scenarios, affected systems, and information on when the rule was created and by whom.	5.2+

intrusion_event

The intrusion_event table contains information on possible intrusions identified by the Firepower System. For each possible intrusion, the system generates an event and an associated record in the database, which contains the date, time, type of exploit, access control policy and rule, intrusion policy and rule, and other contextual information about the source and target of the attack.

Tip For packet-based events, a copy of the packet or packets that triggered the event may also be available; see intrusion_event_packet Sample Query.

For more information, see the following sections:

intrusion_event Fields

The following table describes the database fields you can access in the intrusion_event table.

Table 4-2 intrusion_event Fields
Field	Description
`access_control_policy_name`	The access control policy associated with the intrusion policy that generated the intrusion event. Note that the access control policy name and access control rule name combination is unique for a Firepower Management Center.
`access_control_policy_UUID`	The UUID of the access control policy associated with the intrusion policy that generated the intrusion event.
`access_control_rule_id`	The internal identification number of the access control rule associated with the intrusion policy that generated the intrusion event.
`access_control_rule_name`	The name of the access control rule associated with the intrusion policy that generated the intrusion event. Note that the access control rule name is unique within a policy but not across different policies.
`application_protocol_id`	The internal identification number of the application protocol.
`application_protocol_name`	One of: the name of the application, if a positive identification can be made `pending` if the system requires more data blank if there is no application information in the connection
`blocked`	The value indicating what happened to the packet that triggered the intrusion event: `0` — Packet not dropped `1` — Packet dropped (inline, switched, or routed deployment) `2` — Packet that triggered the event would have been dropped, if the intrusion policy had been applied to a device configured in inline, switched, or routed deployment
`client_application_id`	The internal identification number of the client application that was used in the intrusion event.
`client_application_name`	The client application, if available, that was used in the intrusion event. One of: the name of the application, if a positive identification can be made a generic client name if the system detects a client application but cannot identify a specific one. `null` if there is no application information in the connection
`connection_sec`	UNIX timestamp (seconds since 00:00:00 01/01/1970) of the connection event associated with the intrusion event.
`counter`	Number that is incremented for each connection event in a given second, and is used to differentiate among multiple connection events that happen during the same second.
`detection_engine_name`	Field deprecated in Version 5.0. Returns `null` for all queries.
`detection_engine_uuid`	Field deprecated in Version 5.0. Returns `null` for all queries.
`domain_name`	Name of the domain specified for the event.
`domain_uuid`	UUID of the domain specified for the event. This is presented in binary.
`dst_continent_name`	The name of the continent of the destination host. `**` — Unknown `na` — North America `as` — Asia `af` — Africa `eu` — Europe `sa` — South America `au` — Australia `an` — Antarctica
`dst_country_id`	Code for the country of the destination host.
`dst_country_name`	Name of the country of the destination host.
`dst_ip_address`	Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to `null`, but it is not reliable.
`dst_ip_address_v6`	Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to `null`, but it is not reliable.
`dst_ipaddr`	A binary representation of the IPv4 or IPv6 address for the destination host involved in the triggering event.
`dst_port`	Either: the destination port number, if the event protocol type is TCP or UDP the ICMP code, if the event protocol type is ICMP
`dst_user_dept`	The department of the destination user.
`dst_user_email`	The email address of the destination user.
`dst_user_first_name`	The first name of the destination user.
`dst_user_id`	The internal identification number for the destination user; that is, the user who last logged into the destination host before the intrusion event occurred.
`dst_user_last_name`	The last name of the destination user.
`dst_user_last_seen_sec`	The UNIX timestamp of the date and time when the system last reported a login for the destination user.
`dst_user_last_updated_sec`	The UNIX timestamp of the date and time when the system last updated the destination user’s record.
`dst_user_name`	The user name for the destination user.
`dst_user_phone`	The telephone number for the destination user.
`event_id`	The internal identification number for the event. Uniquely identifies an event on the Firepower Management Center.
`event_time_sec`	The UNIX timestamp of the date and time when the event packet was captured.
`event_time_usec`	The microsecond increment of the event timestamp. If microsecond resolution is not available, this value is `0`.
`http_response_code`	The response code given to the HTTP request in the event.
`icmp_code`	ICMP code if the event is ICMP traffic, or `null` if the event was not generated from ICMP traffic.
`icmp_type`	ICMP type if the event is ICMP traffic, or `null` if the event was not generated from ICMP traffic.
`impact`	The impact flag value of the event. Integer values are: `1` — Red (vulnerable) `2` — Orange (potentially vulnerable) `3` — Yellow (currently not vulnerable) `4` — Blue (unknown target) `5` — Gray (unknown impact)
`instance_id`	Numerical ID of the Snort instance on the managed device that generated the event.
`interface_egress_name`	The name of the interface for the outbound traffic.
`interface_ingress_name`	The name of the interface for the inbound traffic.
`intrusion_event_policy_uuid`	A unique identifier for the intrusion policy that triggered the intrusion event.
`intrusion_event_policy_name`	The intrusion policy that generated the intrusion event.
`ioc_count`	Number of indications of compromise found in the event.
`network_analysis_policy_name`	The network analysis policy associated with the intrusion policy that generated the intrusion event.
`network_analysis_policy_UUID`	The UUID of the network analysis policy associated with the intrusion policy that generated the intrusion event.
`priority`	The priority for the rule classification associated with the event. Rule priority is set in the user interface.
`protocol_name`	The text name of the traffic protocol associated with the intrusion event.
`protocol_num`	The IANA number of the protocol as listed in `http://www.iana.org/assignments/protocol-numbers`.
`reviewed`	Whether the intrusion event has been marked as reviewed: `1` — Reviewed `0` — Not reviewed
`rule_classification`	The description of the rule classification associated with the intrusion event, which usually describes the attack detected by the rule that triggered the event. For example: `A Network Trojan was Detected`.
`rule_classification_id`	The identification number for the rule classification associated with the intrusion event.
`rule_generator`	The component that generated the intrusion event. The generator can be either a rules engine, decoder, or preprocessor.
`rule_generator_id`	The generator ID (GID) of the component named in `rule_generator` that generated the intrusion event.
`rule_message`	Explanatory text for the event. For rule-based intrusion events, the message is generated from the rule. For decoder- and preprocessor-based events, the message is hard coded.
`rule_revision`	The revision number of the rule associated with the intrusion event.
`rule_signature_id`	The signature ID (SID) for the intrusion event. Identifies the specific rule, decoder message, or preprocessor message that caused the event to be generated.
`security_context`	Description of the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode.
`security_zone_egress_name`	The egress security zone in the intrusion event that triggered the policy violation.
`security_zone_ingress_name`	The ingress security zone in the intrusion event that triggered the policy violation.
`sensor_address`	The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address.
`sensor_name`	The name of the managed device that generated the intrusion event.
`sensor_uuid`	A unique identifier for the managed device, or `0` if `sensor_name` is `null`.
`src_continent_name`	The name of the continent of the destination host. `**` — Unknown `na` — North America `as` — Asia `af` — Africa `eu` — Europe `sa` — South America `au` — Australia `an` — Antarctica
`src_country_id`	Code for the country of the destination host.
`src_country_name`	Name of the country of the destination host.
`src_ip_address`	Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to `null`, but it is not reliable.
`src_ip_address_v6`	Field deprecated in Version 5.2. Due to backwards compatibility the value in this field is not set to `null`, but it is not reliable.
`src_ipaddr`	A binary representation of the IPv4 or IPv6 address for the source host involved in the triggering event.
`src_port`	Either: the source port number, if the event protocol type is TCP or UDP the ICMP type, if the event protocol type is ICMP
`src_user_dept`	The department of the source user.
`src_user_email`	The email address for the source user.
`src_user_first_name`	The first name of the source user.
`src_user_id`	The internal identification number for the source user; that is, the user who last logged into the source host before the intrusion event occurred.
`src_user_last_name`	The last name of the source user.
`src_user_last_seen_sec`	The UNIX timestamp of the date and time the system last reported a login for the source user.
`src_user_last_updated_sec`	The UNIX timestamp of the date and time the source user’s record was last updated.
`src_user_name`	The user name for the source user.
`src_user_phone`	The source user’s phone number.
`vlan_id`	The identification number of the innermost VLAN associated with the packet that triggered the intrusion event.
`web_application_id`	The internal identification number of the web application that was used in the intrusion event, if applicable.
`web_application_name`	The web application that was used in the intrusion event, if applicable. One of: the name of the application, if a positive identification can be made `web browsing` if the system detects an application protocol of HTTP but cannot identify a specific web application blank if the connection has no HTTP traffic

intrusion_event Joins

The following table describes the joins you can perform on the intrusion_event table.

Table 4-3 intrusion_event Joins
You can join this table on...	And...
`application_protocol_id` or `client_application_id` or `web_application_id`	`application_info. application_id application_host_map. application_id application_tag_map. application_id rna_host_service_info. application_protocol_id rna_host_client_app_payload. web_application_id rna_host_client_app_payload. client_application_id rna_host_client_app. client_application_id rna_host_client_app. application_protocol_id rna_host_service_payload. web_application_id`
`dst_ipaddr` or `src_ipaddr`	`rna_host_ip_map. ipaddr user_ipaddr_history. ipaddr`

intrusion_event Sample Query

The following query returns the 25 most common unreviewed intrusion event results, sorted in descending order based on Count.

SELECT rule_message, priority, rule_classification, count(*) as Count

FROM intrusion_event

WHERE reviewed="0"

GROUP BY rule_message, priority, rule_classification

ORDER BY Count DESCLIMIT 0, 25;

intrusion_event_packet

The intrusion_event_packet table contains information on content of the packet or packets that triggered an intrusion event. Keep in mind if you prohibited packet transfer from your managed devices to the Firepower Management Center, the intrusion_event_packet table contains no data.

For more information, see the following sections:

intrusion_event_packet Fields

The following table describes the database fields you can access in the intrusion_event_packet table.

Table 4-4 intrusion_event_packet Fields
Field	Description
`detection_engine_name`	Field deprecated in Version 5.0. Returns `null` for all queries.
`detection_engine_uuid`	Field deprecated in Version 5.0. Returns `null` for all queries.
`domain_name`	Name of the domain specified for the event.
`domain_uuid`	UUID of the domain specified for the event. This is presented in binary.
`event_id`	The identification number for the event. The ID is unique on a given managed device.
`linktype`	An internal key that indicates the format of the packet’s outer layer; used by the managed device to correctly decode the packet. Only link type `1` is supported.
`netmap_num`	Netmap ID for the domain on which the event was detected.
`packet_data`	The contents of the packet that triggered the event.
`packet_time_sec`	The UNIX timestamp of the date and time the event packet was captured.
`packet_time_usec`	The microsecond increment of the event timestamp. If microsecond resolution is not available, this value is `0`.
`sensor_address`	The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address.
`sensor_name`	The name of the managed device that generated the intrusion event.
`sensor_uuid`	A unique identifier for the managed device, or `0` if `sensor_name` is `null`.

intrusion_event_packet Joins

You cannot perform joins on the intrusion_event_packet table.

intrusion_event_packet Sample Query

The following query returns the packet information for all packets matching the selected event ID.

SELECT event_id, packet_time_sec, sensor_address, packet_data

FROM intrusion_event_packet

WHERE event_id="1";

rule_message

The rule_message table is a list of the rule messages for intrusion rules. Each rule message is accompanied by its identifying information.

For more information, see the following sections:

rule_message Fields

The following table describes the database fields you can access in the rule_message table.

Table 4-5 rule_message Fields
Field	Description
`generator_id`	The GID of the component that triggers the rule.
`message`	The message associated with the rule that is triggered.
`rev_uuid`	A unique identifier for the rule revision.
`revision`	The revision number for the rule.
`signature_id`	The rule identification number as it is rendered in the appliance user interface.
`uuid`	A unique identifier for the rule.

rule_message Joins

You cannot perform joins on the rule_message table.

rule_message Sample Query

The following query returns the intrusion rule message for the intrusion rule that has a GID of 1 and a SID of 1200.

SELECT generator_id, signature_id, revision, message

FROM rule_message

WHERE generator_id="1"

AND signature_id="1200";

Firepower System Database Access Guide v6.7 - 7.1

Bias-Free Language

Book Title

Firepower System Database Access Guide v6.7 - 7.1

Chapter Title