Path: Policy - Event Tracking Table


Note:

An event tracking table can only be used within advanced correlation scenarios. You can add a new event tracking table only while setting up a scenario.


Under Policy > Event Tracking Tables, you see an overview of the existing tables in active advanced correlation scenarios. You can click on the number in the Counts column (if the value differs from 0) to see the content of the table:


event tracking tables


Content of an event tracking table that records layer 4 ports per IP address.

You can combine the attributes of an event tracking table according to your requirements. 

The following attribute types are available:

  • Classification applications and/or protocols
  • HTTP domain names
  • HTTP URLs
  • Interfaces
  • IDS hits
  • IP addresses
  • Layer 4 ports
  • MAC addresses
  • Timestamps
  • VLAN tags


For example, useful combinations are:

  • IP address and layer 4 port
    If you want to store a list of ports per IP, choose Ip Address as Primary Attribute Type and Layer 4 port as Secondary Attribute Type.
  • IP address and timestamp
    If you want to count how often an IP was added to an ETT, select Ip Address as Primary Attribute Type and Timestamp as Secondary Attribute Type.
  • MAC address and URL
    If you want to see what URLs a certain device accessed, store a list of accessed URLs per MAC address. Choose MAC Address as Primary Attribute Type and HTTP URL as Secondary Attribute Type.
  • MAC address and IDS hits
    To store a list of IDS hits per MAC address, choose MAC Address as Primary Attribute Type and IDS Hit as Secondary Attribute Type. You can use this event tracking table to set up rules that isolate devices that exceed a certain number of IDS hits.