Path: Policy - Event Tracking Tables

Event tracking tables (ETTs) are data buffers that store combinations of attributes. They track traffic properties in order to enable behavior-based correlation. Rules can be applied based on whether and how often certain properties were encountered.


Event tracking tables can only be used within advanced correlation scenarios. You can add a new event tracking table only while setting up a scenario.

Under Policy > Event Tracking Tables, you see an overview of the existing tables in advanced correlation scenarios. You can click on the number in the Counts column to see the content of the table.

You can combine the attributes tracked by an event tracking table according to your requirements. 

The following attribute types are available:

  • Assets
  • Classification applications and/or protocols
  • HTTP domain names
  • Interfaces
  • IDS hits
  • IP addresses
  • Layer 4 ports
  • MAC addresses
  • None (used to track only one attribute instead of attribute pairs)
  • Timestamps
  • Users
  • VLAN tags

For example, useful combinations are:

Primary Attribute Type
Secondary Attribute Type
IP address
Layer 4 port
Stores a list of ports per IP address.
MAC address
Counts how often a MAC address was added to an ETT.
Shows what URLs users visited by storing a list of accessed URLs per user.
IDS hit
Stores a list of IDS hits per asset. You can use this event tracking table to set up rules that isolate devices, which exceed a certain number of IDS hits.
This ETT tracks users. You can use it to create policy rules that are based on the behavior of users.
You can use this ETT to count the number of assets in your system and set up rules that are triggered if a certain value is exceeded.