Cisco Cisco Firepower Management Center 4000
35-3
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
more information, see
.
You can also add or update host and operating system data through the host input feature. In addition, if
you create a NetFlow-enabled discovery rule with host detection enabled, hosts can be added to the
network map from NetFlow data.
you create a NetFlow-enabled discovery rule with host detection enabled, hosts can be added to the
network map from NetFlow data.
You can view the hosts detected by the system using the Defense Center web interface:
•
For information on viewing and searching for hosts using the event viewer, see
•
For information on viewing the network map, which is a detailed representation of your network
assets and topology, see
assets and topology, see
.
•
For information on viewing host profiles, which are complete views of all the information available
for your detected hosts, see
for your detected hosts, see
Understanding User Data Collection
License:
FireSIGHT
You can use the FireSIGHT System to monitor user activity on your network, which allows you to
correlate threat, endpoint, and network intelligence with user identity information. By linking network
behavior, traffic, and events directly to individual users, the system can help you to identify the source
of policy breaches, attacks, or network vulnerabilities. In other words, the system can tell you the “who”
behind the “what.” For example, you could determine:
correlate threat, endpoint, and network intelligence with user identity information. By linking network
behavior, traffic, and events directly to individual users, the system can help you to identify the source
of policy breaches, attacks, or network vulnerabilities. In other words, the system can tell you the “who”
behind the “what.” For example, you could determine:
•
who owns the host targeted by an intrusion event that has a Vulnerable (level 1: red) impact level
•
who initiated an internal attack or portscan
•
who is attempting unauthorized access of a server that has high host criticality
•
who is consuming an unreasonable amount of bandwidth
•
who has not applied critical operating system updates
•
who is using instant messaging software or peer-to-peer file-sharing applications in violation of
company IT policy
company IT policy
Armed with this information, you can take a targeted approach to mitigate risk, block users or user
activity, and take action to protect others from disruption. These capabilities also significantly improve
audit controls and enhance regulatory compliance.
activity, and take action to protect others from disruption. These capabilities also significantly improve
audit controls and enhance regulatory compliance.
The system downloads the users used in access control policies from the Microsoft Active Directory
LDAP server, based on the user awareness settings in the LDAP connection. The User Agent then
provides login data for these users and the users are added to the user database. These users are referred
to as access-controlled users. When you author access control policies that include user conditions, you
write those conditions against access-controlled users. For more information, see
LDAP server, based on the user awareness settings in the LDAP connection. The User Agent then
provides login data for these users and the users are added to the user database. These users are referred
to as access-controlled users. When you author access control policies that include user conditions, you
write those conditions against access-controlled users. For more information, see
.
When the system detects user data from a user login, either from a User Agent, or from an email login
over POP3, SMTP, or IMAP, the user from the login is checked against the list of users. If the login user
matches an existing user reported by an agent, the data from the login is assigned to the user. Logins that
do not match existing users cause a new user to be created, unless the login is in SMTP traffic.
Non-matching logins in SMTP traffic are discarded.
over POP3, SMTP, or IMAP, the user from the login is checked against the list of users. If the login user
matches an existing user reported by an agent, the data from the login is assigned to the user. Logins that
do not match existing users cause a new user to be created, unless the login is in SMTP traffic.
Non-matching logins in SMTP traffic are discarded.
The following diagram illustrates how the FireSIGHT System collects and stores user data.