Cisco Cisco Firepower Management Center 4000
C H A P T E R
38-1
FireSIGHT System User Guide
38
Working with Discovery Events
Discovery events alert you to the activity on your network and provide you with the information you need
to respond appropriately. They are triggered by the changes that your managed devices detect in the
network segments they monitor. Your network discovery policy specifies the kinds of data the system
collects, the monitored network segments, and the specific hardware interfaces that your system uses to
monitor traffic. For more information on network discovery, see
to respond appropriately. They are triggered by the changes that your managed devices detect in the
network segments they monitor. Your network discovery policy specifies the kinds of data the system
collects, the monitored network segments, and the specific hardware interfaces that your system uses to
monitor traffic. For more information on network discovery, see
.
As a simple example of a discovery event, you may have conference rooms or spare work spaces where
visiting employees attach to your network. You would expect to see New Host events generated on these
segments on a regular basis, and you would not suspect malicious intent. However, if you see a New Host
event on a network segment that is locked down, then you can escalate your response accordingly.
visiting employees attach to your network. You would expect to see New Host events generated on these
segments on a regular basis, and you would not suspect malicious intent. However, if you see a New Host
event on a network segment that is locked down, then you can escalate your response accordingly.
User discovery events provide information about users logged into the hosts on your network. You can
view events that catalog user activity on the network and drill down to view information on a particular
user. For example, if you want to see what user is associated with a new host, you can check the host
profile to find out what users have been detected in traffic going to or from that host.
view events that catalog user activity on the network and drill down to view information on a particular
user. For example, if you want to see what user is associated with a new host, you can check the host
profile to find out what users have been detected in traffic going to or from that host.
Discovery events provide you with much greater depth of insight into the activity on your network and
with much more granularity than this simple example shows. For each monitored host, you can configure
the system to detect related application protocols, network protocols, clients, users, and potential
vulnerabilities. The system can also provide information on vulnerabilities detected by third-party
scanners that you import onto the Defense Center using the host input feature. Indications of
compromise (IOC) use intrusion, malware, and other data to identify hosts whose security may be
compromised. In addition, you can track any changes in host criticality, host attribute, or vulnerability
settings that users enter via the user interface.
with much more granularity than this simple example shows. For each monitored host, you can configure
the system to detect related application protocols, network protocols, clients, users, and potential
vulnerabilities. The system can also provide information on vulnerabilities detected by third-party
scanners that you import onto the Defense Center using the host input feature. Indications of
compromise (IOC) use intrusion, malware, and other data to identify hosts whose security may be
compromised. In addition, you can track any changes in host criticality, host attribute, or vulnerability
settings that users enter via the user interface.
The system provides a set of predefined workflows that you can use to analyze the discovery events that
your system generates. You can also create custom workflows that display only the information that
matches your specific needs.
your system generates. You can also create custom workflows that display only the information that
matches your specific needs.
To collect and store network discovery data for analysis, make sure that your network discovery policy
is configured to discover the appropriate data on the networks and zones where your Cisco-managed
devices and NetFlow-enabled devices monitor traffic. To exclude monitored areas from discovery,
configure that in the network discovery policy. Note that an access control policy must be applied to the
managed device before you can apply a network discovery policy. For more information, see
is configured to discover the appropriate data on the networks and zones where your Cisco-managed
devices and NetFlow-enabled devices monitor traffic. To exclude monitored areas from discovery,
configure that in the network discovery policy. Note that an access control policy must be applied to the
managed device before you can apply a network discovery policy. For more information, see
For more information, see:
•
•
•