- Introduction to Database Access
- Setting Up Database Access
- Schema - System-Level Tables
- Schema - Intrusion Event Tables
- Schema - Statistics Tracking Tables
- Schema - Discovery and Network Map Tables
- Schema - Connection Log Tables
- Schema - User Activity Tables
- Schema - Correlation Logs
- Schema - File Event Tables
- Deprecated Tables
- Understanding Statistics Tracking Tables
- app_ids_stats_current_timeframe
- app_stats_current_timeframe
- compliance_events_stats_current_timeframe
- dns_query_stats_current_timeframe
- geolocation_stats_current_timeframe
- ids_impact_stats_current_timeframe
- ip_reputation_stats_current_timeframe
- session_stats_current_timeframe
- ssl_stats_current_timeframe
- storage_stats_by_disposition_current_timeframe
- storage_stats_by_file_type_current_timeframe
- transmission_stats_by_file_type_current_timeframe
- url_category_stats_current_timeframe
- url_reputation_stats_current_timeframe
- user_ids_stats_current_timeframe
- user_stats_current_timeframe
Schema: Statistics Tracking Tables
This chapter contains information on the schema and supported joins for application and URL statistics tracking tables. These tables collect statistical information on:
- access control and intrusion events by application and by user
- bandwidth usage and connection decisions by application and by user
- bandwidth usage and connection decisions by URL reputation (risk) and by URL business relevance
For links to details on each table, see the following table.
Understanding Statistics Tracking Tables
A table’s name ends with current_day
, current_month
, or current_year
to indicate the timeframe of its data. For example, the app_ids_stats_current_
timeframe describes app_stats_current_day
, app_stats_current_month
, and app_stats_current_year
. The app_stats_current_year
table stores statistics for 360 days; the current_month
table stores statistics for 30 days.
Each time the Firepower Management Center receives raw counts from managed devices in your network, it updates all three table types, but does so at successively coarser resolution. The current_day
table has the finest resolution (15 seconds or 5 minutes, depending on the particular table); the current_year
table has the coarsest resolution (24 hours). See Storage Characteristics for Statistics Tracking Tables for specific information.
Storage Characteristics for Statistics Tracking Tables
See the following table for important details.
A storage interval is defined by its start time. For example, the current_month
table contains counts for the hour 10:00:00
- 10:59:59
as one record with a timestamp of 10:00:00
. Note that a day begins at 00:00:00
and ends at 23:59:59
. Interval start times are stored as UNIX timestamps (GMT).
Specifying Time Intervals When Querying Statistics Tables
The effective time interval for a query is defined by both the table and the time_start_sec
field in the query.
For example, if your SQL statement specifies time_start_sec
= 6:00:00
, the interval varies for each table type:
- for
current_day
tables: either6:00:00
to6:00:14
(for 15 second tables) or6:00:00
to6:04:59
(for 5 minute tables). - for
current_month
tables:6:00:00
to6:59:59
. - for
current_year
tables:0:00:00
to23:59:59
on the following day.
The simplest way to retrieve data is to state the interval start time. For example, to retrieve from the app_ids_stats_current_day
table, specify one of the following:
00:00:00
00:00:15
00:00:30
23:59:45
If your query contains a timestamp that is other than an interval start time, the system modifies the request as follows:
- rounds up the start time to the nearest interval time
- rounds down the end time to the nearest interval time
For example, the following query rounds up the start time:
SELECT application_id
FROM app_ids_stats_current_month
WHERE start_time_sec = UNIX_TIMESTAMP("2011-12-01 12:30:00");
SELECT application_id
FROM app_ids_stats_current_month
WHERE start_time_sec = UNIX_TIMESTAMP("2011-12-01 01:00:00");
When querying a range of intervals, the starting time interval is rounded up, and the ending time interval is rounded down. For example:
SELECT application_id
FROM app_ids_stats_current_month
WHERE start_time_sec BETWEEN UNIX_TIMESTAMP("2011-12-10 12:59:00") and UNIX_TIMESTAMP("2011-12-10 16:28:00");
SELECT application_id
FROM app_ids_stats_current_month
WHERE start_time_sec BETWEEN UNIX_TIMESTAMP("2011-12-10 13:00:00") and UNIX_TIMESTAMP("2011-12-12 16:00:00");
If your query interval extends beyond a table's time frame, you can usually obtain the additional data from another table, although the data in the other table will have a coarser resolution. For example, to retrieve bandwidth usage for the past two days, you can get results for yesterday from the current_day
table (at 5 minute resolution), but you can get statistics for the previous day only from current_month
(in hour chunks) or current_year
(in day chunks).
app_ids_stats_current_timeframe
The app_ids_stats_current_
timeframe tables contain statistics about application activity and intrusion events on your monitored network. Statistics can be extracted per detected application, per application type (application protocol, client application, or web application), and also per risk and business relevance of the application. The tables also track blocked connections due to intrusion policy violations and the estimated potential impact of an intrusion.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the app_ids_stats_current_
timeframe tables, see the following sections:
-
app_ids_stats_current_timeframe Fields
-
app_ids_stats_current_timeframe Joins
-
app_ids_stats_current_timeframe Sample Query
app_ids_stats_current_timeframe Fields
The following table describes the fields you can access in the app_ids_stats_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
Number of connections blocked due to violation of an intrusion policy. |
|
An index (from |
|
A description of business relevance ( |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The number of impact level 1 (vulnerable) intrusion events recorded for the application. |
|
The number of impact level 2 (potentially vulnerable) intrusion events. |
|
The number of impact level 3 (host currently not vulnerable) intrusion events. |
|
The number of impact level 4 (unknown target) intrusion events. |
|
The number of impact level 5 (unknown vulnerability) intrusion events. |
|
A true-false flag that indicates if the detected application is a client application. |
|
A true-false flag that indicates if the detected application is an application protocol. |
|
A true-false flag that indicates if the detected application is a web application. |
|
Netmap ID for the domain on which the statistics were collected. |
|
An index (from |
|
A description of the estimated risk ( |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
|
Number of packets that would have been dropped if the intrusion policy had been configured to drop packets in an inline deployment. |
app_ids_stats_current_timeframe Joins
The following table describes the joins you can perform on the app_ids_stats_current_
timeframe
tables.
app_ids_stats_current_timeframe Sample Query
The following query returns up to 25 application records from the app_ids_stats_current_month
table. Each record contains the number of blocked connections and intrusion events for the application over the time interval.
SELECT from_unixtime(start_time_sec), sum(blocked)
app_stats_current_timeframe
The app_stats_current_
timeframe tables contain statistics on bandwidth usage and access control actions (connection allowed or denied), by application and by device that monitored the traffic. You can filter these statistics by the business relevance, estimated risk, and type of the application.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the app_stats_current_
timeframe tables,
see the following sections:
-
app_stats_current_timeframe Fields
-
app_stats_current_timeframe Joins
-
app_stats_current_timeframe Sample Query
app_stats_current_timeframe Fields
The following table describes the fields you can access in the app_stats_current_
timeframe tables.
|
|
---|---|
An index (from |
|
A description of business relevance ( |
|
The bytes of inbound traffic for the application during the specified interval. |
|
The bytes of outbound traffic for the application during the specified interval. |
|
The number of connections denied due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
A true-false flag that indicates if the detected application is a client application. |
|
A true-false flag that indicates if the detected application is an application protocol. |
|
Netmap ID for the domain on which the statistics were collected. |
|
A true-false flag that indicates if the detected application is a web application. |
|
An index (from |
|
A description of the estimated risk ( |
|
The IP address of the managed device that monitored the traffic. Format is ipv4_address,ipv6_address. |
|
The internal identification number of the managed device that detected the traffic. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
|
Number of packets which were eligible for bypass but were inspected. |
app_stats_current_timeframe Joins
The following table describes the joins you can perform on the app_stats_current_
timeframe tables.
app_stats_current_timeframe Sample Query
The following query returns the inbound and outbound traffic load associated with applications that have low business relevance and high risk in the period of a day, for all managed devices connected to the Firepower Management Center.
SELECT start_time_sec, sum(bytes_in), sum(bytes_out)
AND risk >= 4 AND start_time_sec = unix_timestamp("2013-12-15");
compliance_events_stats_current_timeframe
The compliance_stats_events_current_
timeframe tables contain statistics on the number of compliance and allow list events during a timeframe.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the compliance_events_stats_current_
timeframe tables,
see the following sections:
-
compliance_events_stats_current_timeframe Fields
-
compliance_event_stats_current_timeframe Joins
-
compliance_event_stats_current_timeframe Sample Query
compliance_events_stats_current_timeframe Fields
The following table describes the fields you can access in the compliance_events_stats_current_
timeframe tables.
|
|
---|---|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
Allow list rule which triggered the events. If this rule is empty, the events are compliance events. |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
compliance_event_stats_current_timeframe Joins
You cannot perform joins on the compliance_event_stats_current_timeframe
table.
compliance_event_stats_current_timeframe Sample Query
The following query returns the priority 0, 1, and 2 events, and the relevant allow list rule, ordered by domain, in the period of a day.
SELECT domain_name, priority_0_events, priority_1_events, priority_2_events, rule
dns_query_stats_current_timeframe
The dns_query_stats_current_
timeframe tables contain statistics on DNS queries.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the dns_query_stats_current_
timeframe tables,
see the following sections:
-
dns_query_stats_current_timeframe Fields
-
dns_query_stats_current_timeframe Joins
-
dns_query_stats_current_timeframe Sample Query
dns_query_stats_current_timeframe Fields
The following table describes the fields you can access in the dns_quaery_stats_current_
timeframe tables.
|
|
---|---|
The bytes of outbound traffic during the specified interval. |
|
The number of connections allowed for the specified DNS query. |
|
The number of connections denied for the specified DNS query due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The IP address of the managed device that monitored the traffic. Format is ipv4_address,ipv6_address. |
|
The internal identification number of the managed device that detected the traffic. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
dns_query_stats_current_timeframe Joins
You cannot perform joins on the dns_query_stats_current_timeframe
table.
dns_query_stats_current_timeframe Sample Query
The following query returns the number of connections associated with dns record types for each sensor in the period of a day, sorted by sensor name and limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, dns_record_type, sum(connections_allowed), sum(connections_denied)
FROM dns_query_stats_current_day
geolocation_stats_current_timeframe
The geolocation_stats_
timeframe tables contain statistics regarding intrusion events based on location levels. Statistics can be extracted based on impact level, device, and how the packets are handled.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the geolocation_stats_current_
timeframe tables, see the following sections:
-
geolocation_stats_current_timeframe Fields
-
geolocation_stats_current_timeframe Joins
-
geolocation_stats_current_timeframe Sample Query
geolocation_stats_current_timeframe Fields
The following table describes the fields you can access in the geolocation_stats_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
The total number of bytes transmitted by the session responder. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The number of flows denied due to violation of an access control policy. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
geolocation_stats_current_timeframe Joins
You cannot perform joins on the geolocation_stats_current_
timeframe tables.
geolocation_stats_current_timeframe Sample Query
The following query returns source country and sensor name for the first 25 connection events from Asia during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, source_continent
FROM geolocation_stats_current_year
WHERE destination_continent='as' and domain_name= "Global \ Company B \ Edge"
ids_impact_stats_current_timeframe
The ids_impact_stats_
timeframe tables contain statistics regarding intrusion events based on impact levels. Statistics can be extracted based on impact level, device, and how the packets are handled.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the ids_impact_stats_current_
timeframe tables, see the following sections:
-
ids_impact_stats_current_timeframe Fields
-
ids_impact_stats_current_timeframe Joins
-
ids_impact_stats_current_timeframe Sample Query
ids_impact_stats_current_timeframe Fields
The following table describes the fields you can access in the ids_impact_stats_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
Number of connections blocked due to violation of an intrusion policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The number of impact level 1 (vulnerable) intrusion events recorded for the application. |
|
The number of impact level 2 (potentially vulnerable) intrusion events. |
|
The number of impact level 3 (host currently not vulnerable) intrusion events. |
|
The number of impact level 4 (unknown target) intrusion events. |
|
The number of impact level 5 (unknown vulnerability) intrusion events. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
|
Number of packets that would have been dropped if the intrusion policy had been set to drop packets in an inline deployment. |
ids_impact_stats_current_timeframe Joins
You cannot perform joins on the ids_impact_stats_current_
timeframe tables.
ids_impact_stats_current_timeframe Sample Query
The following query returns the first 25 blocked
and would_have_dropped
events during the current day, limited to the domain_name= "Global \ Company B \ Edge"
domain.
SELECT blocked, would_have_dropped
FROM ids_impact_stats_current_year
ip_reputation_stats_current_timeframe
The ip_category_stats_current_
timeframe tables contain statistics on the bandwidth usage and connections associated with requests to IP addresses, URLs, and DNS domains in specified Security Intelligence categories. You can also constrain queries on the managed device that monitored the traffic.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the ids_impact_stats_current_
timeframe tables, see the following sections:
-
ip_reputation_stats_current_timeframe Fields
-
ip_reputation_stats_current_timeframe Joins
-
ip_reputation_stats_current_timeframe Sample Query
ip_reputation_stats_current_timeframe Fields
The following table describes the fields you can access in the ip_reputation_stats_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
The bytes of outbound traffic during the specified interval. |
|
The number of connections denied for the specified IP due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
|
Type of information in the entry. Possible values include: |
ip_reputation_stats_current_timeframe Joins
You cannot perform joins on the ip_reputation_stats_current_
timeframe tables.
ip_reputation_stats_current_timeframe Sample Query
The following query returns the first 25 connections showing the number of bytes in and out, number of connections, type of connection, and sensor, in order by domain during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT uuid_btoa(domain_uuid), domain_name, type, name, bytes_in, bytes_out, connections_allowed, connections_denied, sensor_name
FROM ip_reputation_stats_current_day
session_stats_current_timeframe
The session_stats_
timeframe tables contain statistics for all connections. Statistics can be extracted based on bytes, connection, sensor, and time.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the session_stats_current_
timeframe tables, see the following sections:
-
session_stats_current_timeframe Fields
-
session_stats_current_timeframe Joins
-
session_stats_current_timeframe Sample Query
session_stats_current_timeframe Fields
The following table describes the fields you can access in the session_stats_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
The bytes of outbound traffic during the specified interval. |
|
The number of connections allowed for the specified URL category. |
|
The number of connections denied for the specified URL category due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
session_stats_current_timeframe Joins
You cannot perform joins on the session_stats_current_
timeframe tables.
session_stats_current_timeframe Sample Query
The following query returns the number of denied and allowed connections for each sensor, in descending order by sensor_name
during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, sensor_id connections_denied, connections_allowed
FROM session_stats_current_day
ssl_stats_current_timeframe
The ssl_stats_current_
timeframe tables contain statistics for SSL connections. Statistics can be extracted based on bytes, connection, sensor, and time.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the ssl_stats_current_
timeframe tables, see the following sections:
-
ssl_stats_current_timeframe Fields
-
ssl_stats_current_timeframe Joins
-
ssl_stats_current_timeframe Sample Query
ssl_stats_current_timeframe Fields
The following table describes the fields you can access in the ssl_stats_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
Number of handshake errors that occurred while evaluating SSL rules. |
|
Number of SSL sessions in which the certificate was expired. |
|
Number of SSL sessions in which the certificate issuer was either not valid or not found in the Trusted CA list. |
|
Number of SSL sessions in which the certificate had an invalid signature. |
|
Number of SSL sessions in which the certificate was not checked. |
|
Number of SSL sessions in which the certificate was not yet valid. |
|
Number of SSL sessions in which the certificate had been revoked. |
|
Number of SSL sessions in which the certificate was self-signed. |
|
Number of SSL sessions in which the certificate status was unknown. |
|
Number of times a certificate was found in the validation cache. |
|
Number of times a certificate was not found in the validation cache. |
|
Number of times an SSL session using a self-signed certificate was decrypted using the decrypt-resign method. |
|
Number of times an SSL session using a self-signed certificate was decrypted using the decrypt-resign with replace key only method. |
|
Number of times an SSL session using a signed certificate was decrypted using the decrypt-resign method. |
|
Number of times an SSL session was decrypted using the known-key method. |
|
Number of SSL sessions which suffered an error during decryption. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Number of handshake errors that occurred prior to evaluating SSL rules. |
|
Netmap ID for the domain on which the statistics were collected. |
|
Number of times an original certificate was found in the cache. |
|
Number of times an original certificate was not found in the cache. |
|
Number of times a resigned certificate was found in the cache. |
|
Number of times a resigned certificate was not found in the cache. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
A unique identifier for the managed device, or |
|
Number of times an SSL session ID or ticket was found in the cache. |
|
Number of times an SSL session ID or ticket was not found in the cache. |
|
Number of sessions that were incorrectly identified as using SSL. |
|
Number of SSL sessions that were not successfully decrypted. |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
|
Number of times that a cache miss on an ID or ticket prevented decryption. |
|
Number of SSL sessions that could not be decrypted because the device is in passive mode. |
|
Number of SSL sessions using a cipher suite which is known but not supported. |
ssl_stats_current_timeframe Joins
You cannot perform joins on the ssl_stats_current_
timeframe tables.
ssl_stats_current_timeframe Sample Query
The following query returns the number of SSL sessions, sessions that were decrypted, sessions that were not decrypted, and sessions which cannot be decrypted in passive mode for each sensor, in descending order by sensor_name
during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, total_ssl_sessions, ssl_sessions_decrypted,
ssl_sessions_not_decrypted, undecryptable_in_passive_mode
storage_stats_by_disposition_current_timeframe
The storage_stats_by_disposition_
timeframe tables contain statistics for stores files. Statistics can be extracted based on bytes, connection, sensor, and time.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the storage_stats_by_disposition_
timeframe tables, see the following sections:
-
storage_stats_by_disposition_current_timeframe Fields
-
storage_stats_by_disposition_current_timeframe Joins
-
storage_stats_by_disposition_current_timeframe Sample Query
storage_stats_by_disposition_current_timeframe Fields
The following table describes the fields you can access in the storage_stats_by_disposition_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
The malware status of the file. Possible values include:
|
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
storage_stats_by_disposition_current_timeframe Joins
You cannot perform joins on the session_stats_current_
timeframe tables.
storage_stats_by_disposition_current_timeframe Sample Query
The following query returns the number of dropped and stored files for each sensor, in descending order by sensor_name
during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, number_dropped, number_stored
FROM storage_stats_by_disposition_current_day
storage_stats_by_file_type_current_timeframe
The storage_stats_by_file_type_current_
timeframe tables contain statistics for stored files by file type. Statistics can be extracted based on bytes, connection, sensor, and time.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the storage_stats_by_file_type_current_
timeframe tables, see the following sections:
-
storage_stats_by_file_type_current_timeframe Fields
-
storage_stats_by_file_type_current_timeframe Joins
-
storage_stats_by_file_type_current_timeframe Sample Query
storage_stats_by_file_type_current_timeframe Fields
The following table describes the fields you can access in the storage_stats_by_file_type_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
storage_stats_by_file_type_current_timeframe Joins
You cannot perform joins on the session_stats_current_
timeframe tables.
storage_stats_by_file_type_current_timeframe Sample Query
The following query returns the number of dropped and stored files for each sensor, in descending order by file_type
during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, number_dropped, number_stored, file_type
FROM storage_stats_by_file_type_current_day
transmission_stats_by_file_type_current_timeframe
The transmission_stats_by_file_type_current_
timeframe tables contain statistics for stored files by file type. Statistics can be extracted based on bytes, connection, sensor, and time.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the transmission_stats_by_file_type_current_
timeframe tables, see the following sections:
-
transmission_stats_by_file_type_current_timeframe Fields
-
transmission_stats_by_file_type_current_timeframe Joins
-
transmission_stats_by_file_type_current_timeframe Sample Query
transmission_stats_by_file_type_current_timeframe Fields
The following table describes the fields you can access in the transmission_stats_by_file_type_current_
timeframe tables. All tables of this type contain the same fields.
|
|
---|---|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that generated the event. Format is ipv4_address,ipv6_address. |
|
The name of the managed device that generated the intrusion event. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the date and time the measurement interval starts. For detailed information, see Specifying Time Intervals When Querying Statistics Tables. |
transmission_stats_by_file_type_current_timeframe Joins
You cannot perform joins on the transmission_stats_by_file_type_current_
timeframe tables.
transmission_stats_by_file_type_current_timeframe Sample Query
The following query returns the number of dropped and sent connections for each sensor, in descending order by file_type
during the current day, limited to the Global \ Company B \ Edge
domain.
SELECT sensor_name, number_dropped, number_sent, file_type
FROM transmission_stats_by_file_type_current_day
url_category_stats_current_timeframe
The url_category_stats_current_
timeframe tables contain statistics on the bandwidth usage and connections associated with requests to URLs in specified URL categories. You can also constrain queries on the managed device that monitored the traffic.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the url_category_stats_current_
timeframe tables, see the following sections:
-
url_category_stats_current_timeframe Fields
-
url_category_stats_current_timeframe Joins
-
url_category_stats_current_timeframe Sample Query
url_category_stats_current_timeframe Fields
The following table describes the fields you can access in the url_category_stats_current_
timeframe tables.
|
|
---|---|
The bytes of outbound traffic during the specified interval. |
|
The number of connections allowed for the specified URL category. |
|
The number of connections denied for the specified URL category due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that monitored the traffic. Format is ipv4_address,ipv6_address. |
|
The internal identification number of the managed device that detected the traffic. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
url_category_stats_current_timeframe Joins
You cannot perform joins on the url_category_stats_current_
timeframe tables.
url_category_stats_current_timeframe Sample Query
The following query returns up to 25 URL category records. Each record contains the bytes of associated inbound and outbound traffic, as well as allowed and denied connections, over the specified time interval. This query is limited to the Games
category and the Global \ Company B \ Edge
domain.
SELECT category, sensor_name, sensor_address, start_time_sec, bytes_in, bytes_out, connections_allowed, connections_denied
FROM url_category_stats_current_year
WHERE category="Games" AND domain_name= "Global \ Company B \ Edge"
url_reputation_stats_current_timeframe
The url_reputation_stats_current_
timeframe tables contain statistics on the bandwidth usage and connections associated with requests to URLs with specified reputations. Query results can also be constrained on the managed device that monitored the traffic.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information on the url_reputation_stats_current_
timeframe tables, see the following sections:
-
url_reputation_stats_current_timeframe Fields
-
url_reputation_stats_current_timeframe Joins
-
url_reputation_stats_current_timeframe Sample Query
url_reputation_stats_current_timeframe Fields
The following table describes the fields you can access in the url_reputation_stats_current_
timeframe tables.
|
|
---|---|
The bytes of outbound traffic during the specified interval. |
|
The number of connections denied due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The risk associated with the requested URL. One of the following: |
|
The IP address of the managed device that monitored the traffic. Format is ipv4_address,ipv6_address. |
|
Internal identification number of the managed device that monitored the traffic. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
url_reputation_stats_current_timeframe Joins
You cannot perform joins on the url_reputation_stats_current_
timeframe tables.
url_reputation_stats_current_timeframe Sample Query
The following query returns up to 25 URL reputation records from the url_reputation_stats_current_month
table. Each record contains the bytes of inbound and outbound traffic, as well as allowed and denied connections over the measurement time interval. This particular query is limited to the High risk
reputation and Global \ Company B \ Edge
domain.
SELECT sensor_name, sensor_address, reputation, start_time_sec, bytes_in, bytes_out, connections_allowed, connections_denied
FROM url_reputation_stats_current_year
WHERE reputation="High risk" AND domain_name= "Global \ Company B \ Edge"
user_ids_stats_current_timeframe
The user_ids_stats_current_
timeframe tables are round-robin tables that contain statistics on access filtering and impact statistics by user.
For an understanding of the current_day
, current_month
, and current_year
tables in this type, see Storage Characteristics for Statistics Tracking Tables.
For general information on using the round robin statistics tables, see Understanding Statistics Tracking Tables.
For more information on the user_ids_stats_current_
timeframe tables, see the following sections:
-
user_ids_stats_current_timeframe Fields
-
user_ids_stats_current_timeframe Joins
-
user_ids_stats_current_timeframe Sample Query
user_ids_stats_current_timeframe Fields
The following table describes the fields you can access in the user_ids_stats_current_
timeframe tables.
|
|
---|---|
The number of connections blocked due to violation of an intrusion policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
The number of impact level 1 (vulnerable) intrusion events recorded for the user. |
|
The number of impact level 2 (potentially vulnerable) intrusion events recorded for the user. |
|
The number of impact level 3 (host currently not vulnerable) intrusion events recorded for the user. |
|
The number of impact level 4 (unknown target) intrusion events recorded for the user. |
|
The number of impact level 5 (unknown vulnerability) intrusion events recorded for the user. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that monitored the traffic. Format is ipv4_address,ipv6_address. |
|
The internal identification number of the managed device that detected the traffic. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
|
An internal identification number for the user who last logged into the host. |
|
Number of packets that would have been dropped if the intrusion policy had been configured to drop packets in an inline deployment. |
user_ids_stats_current_timeframe Joins
You cannot perform joins on the user_ids_stats_current_
timeframe tables.
user_ids_stats_current_timeframe Sample Query
The following query returns up to 25 user records from the user_ids_stats_current_month
table. Each record contains the number of blocked connections and intrusion events for the selected username
with the Global \ Company B \ Edge
domain.
SELECT username, start_time_sec, blocked, impact_level_1, impact_level_2, impact_level_3, impact_level_4, impact_level_5 FROM user_ids_stats_current_year
WHERE username="username" AND domain_name= "Global \ Company B \ Edge"
user_stats_current_timeframe
The user_stats_current_
timeframe tables contain statistics on bandwidth usage and access control actions (connection allowed or denied) by user. You can also constrain queries on the managed device that monitored the traffic.
For an understanding of the current_day
, current_month
, and current_year
statistics tables, see Storage Characteristics for Statistics Tracking Tables.
For more information, see the following sections:
-
user_stats_current_timeframe Fields
-
user_stats_current_timeframe Joins
-
user_stats_current_timeframe Sample Query
user_stats_current_timeframe Fields
The following table describes the fields you can access in the user_stats_current_
timeframe tables.
|
|
---|---|
The number of bytes of inbound traffic for the user in the measured interval. |
|
The number of bytes of outbound traffic for the user in the measured interval. |
|
The number of connections allowed for this user in the measured time frame. |
|
The number of connections denied for this user due to violation of an access control policy. |
|
UUID of the domain specified for the statistics. This is presented in binary. |
|
Netmap ID for the domain on which the statistics were collected. |
|
The IP address of the managed device that monitored the traffic. Format is ipv4_address,ipv6_address. |
|
The internal identification number of the managed device that detected the traffic. |
|
A unique identifier for the managed device, or |
|
The UNIX timestamp of the start of the measurement interval. For information on specifying the start time, see Specifying Time Intervals When Querying Statistics Tables. |
|
The internal identification number for the user who last logged into the host that generated the traffic. |
|
User name for the user who last logged into the host that generated the traffic. |
user_stats_current_timeframe Joins
You cannot perform joins on the user_stats_current_
timeframe tables.
user_stats_current_timeframe Sample Query
The following query returns up to 25 user records. Each record contains the bytes of inbound and outbound traffic, as well as allowed and denied connections over the measurement time interval within the domain_name= "Global \ Company B \ Edge
domain.
SELECT sensor_name, sensor_address, username, start_time_sec, bytes_in, bytes_out,
connections_allowed, connections_denied
WHERE username="username" AND domain_name= "Global \ Company B \ Edge"