You can send events from the App Control Server to an external database.
The following table describes the external events table columns.
- App Control External Event Database Columns
| External table column | Data Type | Note |
|---|---|---|
| event_id | BIGINT | ID of the event |
| time | DATETIME | Time when event occurred (in UTC) |
| received_time | DATETIME | Time when server received the event (in UTC) |
| severity | NVARCHAR(256) | Event severity |
| priority | NVARCHAR(256) | Event severity |
| type | NVARCHAR(256) | Event type name |
| subtype | NVARCHAR(256) | Event subtype name |
| text | NVARCHAR(1024) | Event description |
| hostname | NVARCHAR(128) | Event source (computer name or 'system') |
| host_id | INTEGER | ID of the event source (computer ID or 0 for ‘system’) |
| ip_address | VARCHAR(40) | IP address associated with the event |
| platform | NVARCHAR(64) | Platform of the computer associated with the event (Windows, Mac, Linux) |
| hostgroup | NVARCHAR(512) | Name of the policy associated with the event |
| hostgroup_id | INTEGER | ID of the policy associated with the event |
| username | NVARCHAR(512) | Name of user associated with the event |
| process | NVARCHAR(512) | Name of the process associated with the event |
| filename | NVARCHAR(1024) | Full file path |
| hash | CHAR(64) | File hash (sha256) |
| tail_filename | NVARCHAR(256) | Truncated file name (max. 256 characters) |
| roothash | CHAR(64) | Installer hash (sha256) |
| rootname | NVARCHAR(1024) | Installer name associated with the event |
| ieid | INTEGER | Installer ID associated with the event |
| ban_name | NVARCHAR(128) | For blocked file events, the name of the ban that blocked the file action; some bans are unnamed |
| rule_name | NVARCHAR(128) | Name of the rule associated with the event (if any) |
| updater_name | NVARCHAR(256) | Name of the Updater associated with the event (if any) |
| parent_id | INTEGER | Not used |
| indicator_name | NVARCHAR(128) | Name of the threat indicator associated with the event (if any) |
| process_key | NVARCHAR(128) | Unique proprietary key identifying the instance of the process on a specific computer |
| file_trust | INTEGER | File trust from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| file_threat | INTEGER | File threat from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
| process_trust | INTEGER | Parent process trust from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0-10 Trust value |
| process_threat | INTEGER | Parent process threat from Carbon Black File Reputation of the file associated with the event. Pending means that file lookup was not yet performed but will be. (Conditional) -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
| process_hash | CHAR (64) | Hash of the process associated with the event |
| command_line | NVARCHAR (1024) | Command line in the event description. Command lines may include proprietary information (e.g., passwords), and so their inclusion in events is optional. (Conditional) |
| unified_source | NVARCHAR (256) | In a Unified Management environment, the server that initiated an action. (Conditional) |
