Cisco Cisco Firepower Management Center 4000
38-34
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Servers
The FireSIGHT System collects information about all servers running on hosts on monitored network
segments. The information that the system collects includes the name of the server, the application and
network protocols used by the server, the vendor and version of the server, the IP address associated with
the host running a server, and the port on which the server communicates.
segments. The information that the system collects includes the name of the server, the application and
network protocols used by the server, the vendor and version of the server, the IP address associated with
the host running a server, and the port on which the server communicates.
When the system detects a server, it generates a discovery event unless the associated host has already
reached its maximum number of servers. For more information, see
reached its maximum number of servers. For more information, see
. You can use the Defense Center web interface to view, search, and delete server
events.
You can also base correlation rules on server events. For example, you could trigger a correlation rule
when the system detects a chat server, such as ircd, running on one of your hosts.
when the system detects a chat server, such as ircd, running on one of your hosts.
Although you can configure the network discovery policy to add servers to the network map based on
application data exported by NetFlow-enabled devices, the available information about these servers is
limited. For more information, see
application data exported by NetFlow-enabled devices, the available information about these servers is
limited. For more information, see
See the following sections for more information:
•
•
•
•
Viewing Servers
License:
FireSIGHT
You can use the Defense Center to view a table of detected servers. Then, you can manipulate the event
view depending on the information you are looking for.
view depending on the information you are looking for.
The page you see when you access servers differs depending on the workflow you use. All the predefined
workflows terminate in a host view, which contains a host profile for every host that meets your
constraints. You can also create a custom workflow that displays only the information that matches your
specific needs. For more information, see
workflows terminate in a host view, which contains a host profile for every host that meets your
constraints. You can also create a custom workflow that displays only the information that matches your
specific needs. For more information, see
.
below describes some of the specific actions you can perform on an servers workflow
page. You can also perform the tasks described in the
To view servers:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Hosts > Servers
.
Table 38-8
Server Actions
To...
You can...
learn more about the contents of the
columns in the table
columns in the table
find more information in
.
edit server identities
select the check boxes next to the events for servers you want
to edit, then click
to edit, then click
Set Server Identity
. For more information,
see