Cisco Cisco Firepower Management Center 4000

The following sections provide additional details on the kinds of information available about detected 
connections, as well as how you log, aggregate, and use connection data as part of your analysis:

Any

The FireSIGHT System aggregates connection data collected over five-minute intervals into connection 
summaries, which the system uses to generate connection graphs and traffic profiles. Optionally, you can 
create custom workflows based on connection summary data, which you use in the same way as you use 
workflows based on individual connection events. 

Note that there are no connection summaries specifically for Security Intelligence events, although 
corresponding end-of-connection events can be aggregated into connection summary data.

To be aggregated, multiple connections must:

represent the end of connections

have the same source and destination IP addresses, and use the same port on the responder 
(destination) host

use the same protocol (TCP or UDP)

use the same application protocol

either be detected by the same Cisco managed device, or be exported by the same NetFlow-enabled 
device

log connections:

that represent Security Intelligence filtering decisions (which includes all 
Security Intelligence events)

in an access control rule that performs intrusion detection and prevention

in an access control rule that performs file control, but not advanced malware 
protection

Protection

log connections in an access control rule that performs advanced malware protection Malware

log connections in an access control rule that performs application or user control

Control

log connections in an access control rule with URL conditions that use URL category 
and reputation data

display URL category and URL reputation information for URLs requested by 
monitored hosts

URL Filtering