Cisco Cisco Firepower Management Center 4000
16-7
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
Files
The file events, if any, associated with the connection. Instead of a list of files, the Defense Center
displays the view files icon (
displays the view files icon (
) in this field. The number on the icon indicates the number of files
(including malware files) detected or blocked in that connection.
Click the icon to display a pop-up window with a list of the files detected in the connection, as well
as their types and if applicable, their malware lookup dispositions.
as their types and if applicable, their malware lookup dispositions.
Note that neither the DC500 Defense Center nor Series 2 devices support network-based malware
file detection.
file detection.
For more information, see
.
First Packet or Last Packet
The date and time the first or last packet of the session was seen.
Ingress Interface or Egress Interface
The ingress or egress interface associated with the connection.
Ingress Security Zone or Egress Security Zone
The ingress or egress security zone associated with the connection.
Initiator Bytes or Responder Bytes
The total number of bytes transmitted by the session initiator or the session responder.
Initiator Country or Responder Country
When a routable IP is detected, the country associated with the host IP address that initiated the
session, or with the session responder. An icon of the country’s flag is displayed, as well as the
country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the
country’s full name.
session, or with the session responder. An icon of the country’s flag is displayed, as well as the
country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the
country’s full name.
Note that the DC500 Defense Center does not support this feature.
Initiator IP or Responder IP
The host IP address (and host name, if DNS resolution is enabled) that initiated, or responded to,
the session responder. So that you can identify the blacklisted IP address in a blacklisted connection,
host icons next to blacklisted IP addresses look slightly different.
the session responder. So that you can identify the blacklisted IP address in a blacklisted connection,
host icons next to blacklisted IP addresses look slightly different.
Initiator Packets or Responder Packets
The total number of packets transmitted by the session initiator or the session responder.
Initiator User
The user logged into the session initiator.
Intrusion Events
The intrusion events, if any, associated with the connection. Instead of a list of events, the Defense
Center displays the view intrusion events icon (
Center displays the view intrusion events icon (
) in this field.
Click the icon to display a pop-up window with a list of intrusion events associated with the
connection, as well as their priority and impact. For more information, see
connection, as well as their priority and impact. For more information, see
.