Path: Policy - Event Tracking Tables


Event tracking tables (ETTs) are data buffers that store combinations of attributes. They track traffic properties in order to enable behavior-based correlation. Rules can be applied based on whether and how often certain properties were encountered.


Note:

Event tracking tables can only be used within advanced correlation scenarios. You can add a new event tracking table only while setting up a scenario.


Under Policy > Event Tracking Tables, you see an overview of the existing tables in advanced correlation scenarios. You can click on the number in the Counts column to see the content of the table.


You can combine the attributes tracked by an event tracking table according to your requirements. 

The following attribute types are available:

  • Assets
  • Classification applications and/or protocols
  • HTTP domain names
  • HTTP URLs
  • Interfaces
  • IDS hits
  • IP addresses
  • Layer 4 ports
  • MAC addresses
  • None (used to track only one attribute instead of attribute pairs)
  • Timestamps
  • Users
  • VLAN tags


For example, useful combinations are:


Primary Attribute Type
Secondary Attribute Type
Use
IP address
Layer 4 port
Stores a list of ports per IP address.
MAC address
Timestamp
Counts how often a MAC address was added to an ETT.
User
HTTP URL
Shows what URLs users visited by storing a list of accessed URLs per user.
Asset
IDS hit
Stores a list of IDS hits per asset. You can use this event tracking table to set up rules that isolate devices, which exceed a certain number of IDS hits.
User
None
This ETT tracks users. You can use it to create policy rules that are based on the behavior of users.
None
Assets
You can use this ETT to count the number of assets in your system and set up rules that are triggered if a certain value is exceeded.