Cisco Cisco Firepower Management Center 4000

Page of 1844
 
16-6
FireSIGHT System User Guide
 
Chapter 16      Working with Connection & Security Intelligence Data 
  Understanding Connection Data
  –
Default Action
 indicates the connection was handled by the default action.
  –
For Security Intelligence-monitored connections, the action is that of the first non-Monitor 
access control rule triggered by the connection, or the default action. Similarly, because traffic 
matching a Monitor rule is always handled by a subsequent rule or by the default action, the 
action associated with a connection logged due to a monitor rule is never 
Monitor
.
Application Protocol
The application protocol, which represents communications between hosts, detected in the 
connection.
Application Risk
The risk associated with the application traffic detected in the connection: 
Very High
High
Medium
Low
, or 
Very Low
. Each type of application detected in the connection has an associated risk; this 
field displays the highest of those. For more information, see the 
 table.
Business Relevance
The business relevance associated with the application traffic detected in the connection: 
Very High
High
Medium
Low
, or 
Very Low
. Each type of application detected in the connection has an 
associated business relevance; this field displays the lowest (least relevant) of those. For more 
information, see the 
Category, Tag (Application Protocol, Client, Web Application)
Criteria that characterize the application to help you understand the application's function. For more 
information, see the 
Client and Client Version
The client application and version of that client detected in the connection.
If the system cannot identify the specific client used in the connection, this field displays 
client
 
appended to the application protocol name to provide a generic name, for example, 
FTP client
.
Connections
The number of connections in a connection summary. For long-running connections, that is, 
connections that span multiple connection summary intervals, only the first connection summary 
interval is incremented.
Count
The number of connections that match the information that appears in each row. Note that the 
Count
 
field appears only after you apply a constraint that creates two or more identical rows.
Note
If you create a custom workflow and do not add the 
Count
 column to a drill-down page, each 
connection is listed individually and packets and bytes are not summed.
Device
The managed device that detected the connection or, for connections exported by NetFlow-enabled 
devices, the managed device that processed the NetFlow data.