Cisco Cisco Firepower Management Center 4000

The type of device that the system detected: host, mobile device, jailbroken mobile device, router, 
bridge, NAT device, or load balancer. 

The methods the system uses to distinguish network devices include:

the analysis of Cisco Discovery Protocol (CDP) messages, which can identify network devices 
and their type (Cisco devices only)

the detection of the Spanning Tree Protocol (STP), which identifies a device as a switch or 
bridge

the detection of multiple hosts using the same MAC address, which identifies the MAC address 
as belonging to a router

the detection of TTL value changes from the client side, or TTL values that change more 
frequently than a typical boot time, which identify NAT devices and load balancers

The methods the system uses to distinguish mobile devices include:

analysis of user agent strings in HTTP traffic from the mobile device’s mobile browser 

monitoring of HTTP traffic of specific mobile applications

If a device is not identified as a network device or a mobile device, it is categorized as a host.

The date and time that any of a host’s IP addresses was last detected.

The user most recently logged into this host. 

Note that a non-authoritative user logging into a host only registers as the current user on the host 
if the existing current user is not an authoritative user. For more information, see 

.

Links to views of event data, using the default workflow for that event type and constrained to show 
events related to the host; where possible, these events include all IP addresses associated with the 
host. For more information, see the following sections:

Content Explorer — for more information, see 

Connection Events — for more information, see 

Discovery Events — for more information, see 

.

Malware Events — for more information, see 

Intrusion Events by Source — for more information, see 

.

Intrusion Events by Destination — for more information, see 

.

FireSIGHT