Cisco Cisco Firepower Management Center 4000
38-40
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Applications
Understanding the Applications Table
License:
FireSIGHT
When a monitored host connects to another host, the FireSIGHT Systemcan, in many cases, determine
what application was used. The system detects various web browsers or servers, email clients or servers,
instant messengers, peer-to-peer applications, and so on. When the system detects traffic for a known
client, application protocol, or web application, it logs information about the application and the host
running it.
what application was used. The system detects various web browsers or servers, email clients or servers,
instant messengers, peer-to-peer applications, and so on. When the system detects traffic for a known
client, application protocol, or web application, it logs information about the application and the host
running it.
The FireSIGHT System classifies application data into three types: client, web application, and
application protocol. The applications table provides a list combining all three types of detected
applications on the appliance.
application protocol. The applications table provides a list combining all three types of detected
applications on the appliance.
Descriptions of the fields in the applications table follow.
Application
The name of the detected application.
IP Address
The IP address associated with the host using the application.
Category
A general classification for the application that describes its most essential function. Each
application belongs to at least one category.
application belongs to at least one category.
Tag
Additional information about the application. Applications can have any number of tags, including
none.
none.
Risk
How likely the application is to be used for purposes that might be against your organization’s
security policy. An application’s risk can range from
security policy. An application’s risk can range from
Very Low
to
Very High
.
Of Application Protocol Risk, Client Risk, and Web Application Risk, the highest of the three
detected, when available, in the traffic that triggered the intrusion event.
detected, when available, in the traffic that triggered the intrusion event.
Business Relevance
The likelihood that the application is used within the context of your organization’s business
operations, as opposed to recreationally. An application’s business relevance can range from
operations, as opposed to recreationally. An application’s business relevance can range from
Very
Low
to
Very High
.
Of Application Protocol Business Relevance, Client Business Relevance, and Web Application
Business Relevance, the lowest of the three detected, when available, in the traffic that triggered the
intrusion event.
Business Relevance, the lowest of the three detected, when available, in the traffic that triggered the
intrusion event.
Current User
The user identity (username) of the currently logged in user on the host.
Note that when a non-authoritative user logs into a host, that login is recorded in the user and host
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.