Cisco Cisco Firepower Management Center 4000
16-11
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
Other Configurations
An advanced setting in the access control policy controls the number of characters the system stores
in the connection log for each URL requested by monitored hosts in HTTP sessions. If you use this
setting to disable URL logging, the system does not display individual URLs in the connection log,
although you can still view category and reputation data, if it exists.
in the connection log for each URL requested by monitored hosts in HTTP sessions. If you use this
setting to disable URL logging, the system does not display individual URLs in the connection log,
although you can still view category and reputation data, if it exists.
Also, not all connection events have a
Reason
, which is a field populated only in specific situations,
such as when a user bypasses an Interactive Block configuration; see
Appliance Model
Because Series 2 devices and the DC500 Defense Center support only feature subsets, the DC500
does not display and Series 2 devices do not detect or provide the following connection data:
does not display and Series 2 devices do not detect or provide the following connection data:
–
Security Intelligence data (including all Security Intelligence events)
–
URL category or reputation data
–
File data associated with network-based malware detection
Additionally, because the DC500 Defense Center does not support geolocation data, it does not
display the event initiator or responder country.
display the event initiator or responder country.
See
for a summary of Series 2 appliance features.
The following table lists each connection event/Security Intelligence event field and whether the system
displays information in that field, depending on the detection method, logging method, and connection
event type. Note that, because Security Intelligence events are never aggregated, the Summary column
refers only to connection event summaries.
displays information in that field, depending on the detection method, logging method, and connection
event type. Note that, because Security Intelligence events are never aggregated, the Summary column
refers only to connection event summaries.
Tip
In the table views of both connection events and Security Intelligence events, the
Source Device
field, as
well as the
Category
and
Tag
fields for each type of application, are hidden by default. To show a hidden
field in an event view, expand the search constraints, then click the field name under
Disabled Columns
.
Table 16-2
Connection and Security Intelligence Data Based on Logging and Detection Methods
Field
Detection Method:
Logging Method:
Connection Event:
FireSIGHT
NetFlow
Start
End
Single
Summary
Time
yes
yes
no
yes
no
yes
First Packet
yes
yes
yes
yes
yes
no
Last Packet
yes
yes
no
yes
yes
no
Action
yes
no
yes
yes
yes
no
Reason
yes
no
yes
yes
yes
no
Initiator IP
yes
yes
yes
yes
yes
yes
Initiator Country
yes
no
yes
yes
yes
yes
Initiator User
yes
yes
yes
yes
yes
yes
Responder IP
yes
yes
yes
yes
yes
yes
Responder Country
yes
no
yes
yes
yes
yes
Security Intelligence Category
yes
no
yes
no
yes
no
Ingress Security Zone
yes
no
yes
yes
yes
yes