Cisco Cisco Firepower Management Center 4000
38-10
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Discovery and Host Input Events
DHCP: IP Address Reassigned
This event is generated when a host is reusing an IP address; that is, when a host obtains an IP
address formerly used by another physical host due to DHCP IP address assignment.
address formerly used by another physical host due to DHCP IP address assignment.
Hops Change
This event is generated when the system detects a change in the number of network hops between a
host and the device that detects the host.
host and the device that detects the host.
This may happen if the device sees host traffic through different routers and is able to make a better
determination of the host’s location. This may also happen if the device detects an ARP transmission
from the host, indicating that the host is on a local segment.
determination of the host’s location. This may also happen if the device detects an ARP transmission
from the host, indicating that the host is on a local segment.
Host Deleted: Host Limit Reached
This event is generated when the host limit on the Defense Center is exceeded and a monitored host
is deleted from the Defense Center’s network map.
is deleted from the Defense Center’s network map.
Host Dropped: Host Limit Reached
This event is generated when the host limit on the Defense Center is reached and a new host is
dropped. Compare this with the previous event where old hosts are deleted from the network map
when the host limit is reached.
dropped. Compare this with the previous event where old hosts are deleted from the network map
when the host limit is reached.
To drop new hosts when the host limit is reached, go to
Policies > Network Discovery > Advanced
and
set
When Host Limit Reached
to
Drop hosts
. See
for more
information.
Host IOC Set
This event is generated when an IOC (Indications of Compromise) is set for a host and generates an
alert.
alert.
Host Timeout
This event is generated when a host is dropped from the network map because the host has not
produced traffic within the interval defined in the network discovery policy. Note that individual
host IP addresses and MAC addresses time out individually; a host does not disappear from the
network map unless all of its associated addresses have timed out. See
produced traffic within the interval defined in the network discovery policy. Note that individual
host IP addresses and MAC addresses time out individually; a host does not disappear from the
network map unless all of its associated addresses have timed out. See
for information about configuring the host timeout value.
If you change the networks you want to monitor in your network discovery policy, you may want to
manually delete old hosts from the network map so that they do not count against your FireSIGHT
license. For more information, see
manually delete old hosts from the network map so that they do not count against your FireSIGHT
license. For more information, see
.
Host Type Changed to Network Device
This event is generated when the system detects that a detected host is actually a network device.
Identity Conflict
This event is generated when the system detects a new server or operating system identity that
conflicts with a current active identity for that server or operating system.
conflicts with a current active identity for that server or operating system.
If you want to resolve identity conflicts by rescanning the host to obtain newer active identity data,
you can use Identity Conflict events to trigger an Nmap remediation. For more information, see
you can use Identity Conflict events to trigger an Nmap remediation. For more information, see