Cisco Cisco Firepower Management Center 2000
16-2
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
Understanding Connection Data
License:
Any
For networks monitored by managed devices, you can configure and apply access control policies to log
connection events when:
connection events when:
•
network traffic is blacklisted or monitored by Security Intelligence; this also creates Security
Intelligence events
Intelligence events
•
network traffic meets the conditions of a non-Monitor access control rule
•
network traffic is handled by an access control policy’s default action
•
network traffic meets the conditions of at least one Monitor rule (automatically enabled)
•
an intrusion policy associated with an access control rule generates an event (automatically enabled)
•
a file policy associated with an access control rule detects or blocks a file, or discovers or blocks
malware (automatically enabled)
malware (automatically enabled)
Tying connection logging to individual access control rules, policies, and configurations gives you
granular control over the connections you want to log.
granular control over the connections you want to log.
Note that because NetFlow data collection is not linked to access control rules, you do not have granular
control over which NetFlow connections you want to log. Cisco managed devices detect records
exported by NetFlow-enabled devices, generate unidirectional end-of-connection events based on the
data in those records, and finally send those events to the Defense Center to be logged in the database.
You cannot send NetFlow events to the system log or an SNMP trap server. NetFlow-logged connections
cannot have a
control over which NetFlow connections you want to log. Cisco managed devices detect records
exported by NetFlow-enabled devices, generate unidirectional end-of-connection events based on the
data in those records, and finally send those events to the Defense Center to be logged in the database.
You cannot send NetFlow events to the system log or an SNMP trap server. NetFlow-logged connections
cannot have a
Security Intelligence Category
field value, so they do not appear as Security Intelligence
events.
For more information on connection logging, see the following sections:
•
explains how to log traffic that
meets the conditions of an access control rule, and also contains general guidance on when and how
to log those connections. This section also explains how connection logging is affected by the rule
action, and how connection data logging relates to intrusion, file, and malware event logging.
to log those connections. This section also explains how connection logging is affected by the rule
action, and how connection data logging relates to intrusion, file, and malware event logging.
•
explains how to use the Security Intelligence feature
to log the decision to deny (blacklist) or inspect (blacklist set to monitor-only) connections.
•
explains how to log connections handled by
an access control policy’s default action.
•
provides more information on NetFlow, and compares NetFlow
connection events with connection events based on traffic monitored by the FireSIGHT System.
•
explains how to create and manage your discovery
policy, which is also where you configure NetFlow data collection.
The following table explains the licenses you must have to log connection data.
Table 16-1
License Requirements for Logging Connection Data
To...
You need this
license...
license...
perform basic connection logging, including NetFlow connection logging
Any
add data to the network map, including host and user data, based on the information
in connection logs; view geolocation and IOC (indications of compromise)
information associated with connection events
in connection logs; view geolocation and IOC (indications of compromise)
information associated with connection events
FireSIGHT