AUDIT_JOURNAL_IM table function
The AUDIT_JOURNAL_IM table function returns rows from the audit journal that contain information from the IM (Intrusion Monitor) journal entries.
Every audit journal table function shares a common authorization requirement and a common set of parameters. These are described in AUDIT JOURNAL table function common information.
The result of the function is a table containing rows with the format shown in the following table. All the columns are nullable.
Column Name | Data Type | Description |
---|---|---|
The first columns returned by this table function are from the common audit journal entry header. See Common columns returned from the audit journal entry header for the column definitions. After the common columns are the following columns that describe the entry specific data for the IM audit journal entry. | ||
ENTRY_TYPE | CHAR(1) | The type of entry.
|
ENTRY_TYPE_DETAIL | VARCHAR(200) | Descriptive text that corresponds to the entry type. |
EVENT_TIMESTAMP | TIMESTAMP | The date and time that the event was detected. |
EVENT_LOCAL_ADDRESS_FAMILY | CHAR(4) | The type of local address associated with the
detected event.
Contains the null value when a value is not available. |
EVENT_LOCAL_ADDRESS | VARCHAR(45) | Local IP address associated with the detected
event. Contains the null value when a value is not available. |
EVENT_LOCAL_PORT | INTEGER | Local port number associated with the detected
event. Contains the null value when a value is not available. |
EVENT_REMOTE_ADDRESS_FAMILY | CHAR(4) | The type of remote address associated with the
detected event.
Contains the null value when a value is not available. |
EVENT_REMOTE_ADDRESS | VARCHAR(45) | Remote IP address associated with the detected
event. Contains the null value when a value is not available. |
EVENT_REMOTE_PORT | INTEGER | Remote port number associated with the detected
event. Contains the null value when a value is not available. |
PROBE_TYPE | VARCHAR(6) | The type of probe used to detect the potential intrusion.
|
PROBE_TYPE_DETAIL | VARCHAR(200) | Descriptive text for the probe type. |
EVENT_CORRELATOR | VARCHAR(4) | Identifier for this specific intrusion event. This identifier can be used to correlate this audit record with other intrusion detection information. |
EVENT_ATTACK_TYPE | VARCHAR(8) | The type of potential intrusion that was detected.
Contains the null value when PROBE_TYPE is not ATTACK or XATTAC. |
EVENT_ATTACK_TYPE_DETAIL | VARCHAR(200) | Descriptive text for the type of potential
intrusion. Contains the null value when PROBE_TYPE is not ATTACK or XATTAC. |
PROTOCOL | VARCHAR(6) | Protocol. Recognized protocol values and their
protocol numbers are:
Contains the null value when a value is not available. |
CONDITION_NUMBER | INTEGER | Condition number from IDS policy file. Contains the null value when a value is not available. |
THROTTLING_ACTIVE | VARCHAR(3) | Throttling status at the time the event was flagged.
|
DISCARDED_PACKETS | INTEGER | Number of discarded packets when
throttled. Contains the null value when THROTTLING_ACTIVE is NO. |
TARGET_TCPIP_STACK | VARCHAR(10) | The type of TCP/IP stack that was targeted.
|
SUSPECTED_PACKET | VARBINARY(1000) | The first 1000 bytes of the IP packet associated
with the detected event. Contains the null value when PROBE_TYPE is TR-SSL or when a value is not available. |
FAILING_HANDSHAKE_LOCATION | VARCHAR(6) | The processing location that detected the failed
handshake. Contains the null value when PROBE_TYPE is not TR-SSL or when a value is not available. |
FAILING_HANDSHAKE_ERROR | VARCHAR(40) | The error returned on the failing
handshake. Contains the null value when PROBE_TYPE is not TR-SSL or when a value is not available. |
DETECTION_POINT_ID | VARCHAR(4) | A unique identifier for the processing location that detected the intrusion event. This value is intended for use by service personnel. |
Example
- List all intrusion events for this week.
SELECT * FROM TABLE( SYSTOOLS.AUDIT_JOURNAL_IM( STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS ) );