Cisco Cisco Firepower Management Center 2000
C H A P T E R
18-1
FireSIGHT System User Guide
18
Working with Intrusion Events
The FireSIGHT System can help you monitor your network for traffic that could affect the availability,
integrity, and confidentiality of a host and its data. By placing managed devices on key network
segments, you can examine the packets that traverse your network for malicious activity. The system has
several mechanisms it uses to look for the broad range of exploits that attackers have developed.
integrity, and confidentiality of a host and its data. By placing managed devices on key network
segments, you can examine the packets that traverse your network for malicious activity. The system has
several mechanisms it uses to look for the broad range of exploits that attackers have developed.
When the system identifies a possible intrusion, it generates an intrusion event, which is a record of the
date, time, the type of exploit, and contextual information about the source of the attack and its target.
For packet-based events, a copy of the packet or packets that triggered the event is also recorded.
Managed devices transmit their events to the Defense Center where you can view the aggregated data
and gain a greater understanding of the attacks against your network assets.
date, time, the type of exploit, and contextual information about the source of the attack and its target.
For packet-based events, a copy of the packet or packets that triggered the event is also recorded.
Managed devices transmit their events to the Defense Center where you can view the aggregated data
and gain a greater understanding of the attacks against your network assets.
You can also deploy a managed device as an inline, switched, or routed intrusion system, which allows
you to configure the device to drop or replace packets that you know to be harmful.
you to configure the device to drop or replace packets that you know to be harmful.
The FireSIGHT System also provides you with the tools you need to review intrusion events and evaluate
whether they are important in the context of your network environment and your security policies. These
tools include:
whether they are important in the context of your network environment and your security policies. These
tools include:
•
an event summary page that gives you an overview of the current activity on your managed devices
•
text-based and graphical reports that you can generate for any time period you choose; you can also
design your own reports and configure them to run at scheduled intervals
design your own reports and configure them to run at scheduled intervals
•
an incident-handling tool that you can use to gather event data related to an attack; you can also add
notes to help you track your investigation and response
notes to help you track your investigation and response
•
automated alerting that you can configure for SNMP, email, and syslog
•
automated correlation policies that you can use to respond to and remediate specific intrusion events
•
predefined and custom workflows that you can use to drill down through the data to identify the
events that you want to investigate further
events that you want to investigate further
See the following sections for more information:
•
describes the Intrusion Event Statistics page, which
provides you with an overview of the health of the appliance and a summary of the top threats to
your network.
your network.
•
explains how to generate graphs of intrusion event
performance statistics.
•
explains how to generate charts that show event trends
over time.
•
describes how to use the web interface to view and investigate
your intrusion events.