Cisco Cisco Firepower Management Center 4000

Page of 1844
C H A P T E R
 
16-1
FireSIGHT System User Guide
 
16
Working with Connection & Security 
Intelligence Data
FireSIGHT System managed devices continuously monitor traffic generated by the hosts on your 
network. You can use the access control feature to generate connection events when network traffic 
matches specific conditions. Connection events contain data about the detected sessions, including 
timestamps, IP addresses, geolocation, applications, and so on. 
If your system is configured to blacklist traffic or monitor blacklisted traffic based on Security 
Intelligence data (Protection license required), you can view Security Intelligence events, which are a 
special kind of connection event that represents the decision to blacklist or monitor. Security Intelligence 
events, although similar, are stored and pruned separately, and have their own event view, workflows, 
and Custom Analysis dashboard widget presets. Because Security Intelligence events are a subset of 
connection events, general information about connection events pertains to Security Intelligence events 
as well (unless otherwise noted). For more information on Security Intelligence, see 
 an
Logging connection events to the Defense Center database allows you to take advantage of the analysis, 
reporting, and correlation features in the FireSIGHT System. Optionally, you can send most connection 
events to the syslog or an SNMP trap server. 
To supplement the connection data gathered by your managed devices, you can use records generated by 
NetFlow-enabled devices to generate connection events. This is especially useful if you have 
NetFlow-enabled devices deployed on networks that your Cisco managed devices cannot monitor.
To further enhance the geolocation information provided with many connection events, you can 
configure geolocation updates for your system. For more information on geolocation, see 
For more information, see:
  •
  •
  •
  •
  •
  •
  •