I was interested if anyone in the community has successfully used the database API to retrieve packet data associated with one or more events. I'm mostly concerned with events which trigger on multiple packets, such as a rule matching over a stream of reassembled packets & thus the packet_time_sec and event_time_sec may not always match.
I have noticed that 'event_id' does not uniquely identify an event. The following query returns multiple packets over a long period of time, event thought the 'event_id' value is taken from an event with a single packet from a specific day.
Show Name: Finding Your Firepower Contributors: Kevin Klous, Ben Ritter,
Jay Johnston, Magnus Mortensen Posting Date: September 12, 2016
Description: The podcast team dive into Firepower technologies and
deployment strategies for some of the Firepower Pro...