Cisco Cisco Firepower Management Center 4000
37-6
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with IP Addresses in the Host Profile
Host Type
The type of device that the system detected: host, mobile device, jailbroken mobile device, router,
bridge, NAT device, or load balancer.
bridge, NAT device, or load balancer.
The methods the system uses to distinguish network devices include:
–
the analysis of Cisco Discovery Protocol (CDP) messages, which can identify network devices
and their type (Cisco devices only)
and their type (Cisco devices only)
–
the detection of the Spanning Tree Protocol (STP), which identifies a device as a switch or
bridge
bridge
–
the detection of multiple hosts using the same MAC address, which identifies the MAC address
as belonging to a router
as belonging to a router
–
the detection of TTL value changes from the client side, or TTL values that change more
frequently than a typical boot time, which identify NAT devices and load balancers
frequently than a typical boot time, which identify NAT devices and load balancers
–
The methods the system uses to distinguish mobile devices include:
–
analysis of user agent strings in HTTP traffic from the mobile device’s mobile browser
–
monitoring of HTTP traffic of specific mobile applications
If a device is not identified as a network device or a mobile device, it is categorized as a host.
Last Seen
The date and time that any of a host’s IP addresses was last detected.
Current User
The user most recently logged into this host.
Note that a non-authoritative user logging into a host only registers as the current user on the host
if the existing current user is not an authoritative user. For more information, see
if the existing current user is not an authoritative user. For more information, see
.
View
Links to views of event data, using the default workflow for that event type and constrained to show
events related to the host; where possible, these events include all IP addresses associated with the
host. For more information, see the following sections:
events related to the host; where possible, these events include all IP addresses associated with the
host. For more information, see the following sections:
–
Content Explorer — for more information, see
–
Connection Events — for more information, see
–
Discovery Events — for more information, see
.
–
Malware Events — for more information, see
–
Intrusion Events by Source — for more information, see
.
–
Intrusion Events by Destination — for more information, see
.
Working with IP Addresses in the Host Profile
License:
FireSIGHT