Cisco Cisco Firepower Management Center 4000
38-27
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Host Attributes
To view host attributes:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Hosts > Host Attributes
.
The first page of the default host attributes workflow appears. To use a different workflow, including a
custom workflow, click
custom workflow, click
(switch workflow)
. For information on specifying a different default workflow, see
.
Tip
If you are using a custom workflow that does not include the table view of host attributes, click
(switch
workflow)
, then select
Attributes
.
Understanding the Host Attributes Table
License:
FireSIGHT
The FireSIGHT System collects information about the hosts it detects and uses that information to build
host profiles. However, there may be additional information about the hosts on your network that you
want to provide to your analysts. You can add notes to a host profile, set the business criticality, or
provide any other information that you choose. Each piece of information is called a host attribute.
host profiles. However, there may be additional information about the hosts on your network that you
want to provide to your analysts. You can add notes to a host profile, set the business criticality, or
provide any other information that you choose. Each piece of information is called a host attribute.
You can use host attributes in host profile qualifications, which constrain the data you collect while
building a traffic profile, and also can limit the conditions under which you want to trigger a correlation
rule.
building a traffic profile, and also can limit the conditions under which you want to trigger a correlation
rule.
Note that the host attributes table does not display hosts identified only by MAC addresses.
For more information on host attributes, see
and
.
Descriptions of the fields in the host attributes table follow.
IP Address
The IP addresses associated with a host.
Current User
The user identity (username) of the currently logged in user on the host.
Note that when a non-authoritative user logs into a host, that login is recorded in the user and host
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
Host Criticality
The user-assigned importance of a host to your enterprise. You can use the host criticality in
correlation rules and policies to tailor policy violations and their responses to the importance of a
host involved in an event. You can assign a host criticality of low, medium, high, or none.
correlation rules and policies to tailor policy violations and their responses to the importance of a
host involved in an event. You can assign a host criticality of low, medium, high, or none.
For information on setting a host’s criticality, see
.