Cisco Cisco Firepower Management Center 4000
16-9
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
–
Intrusion Monitor
indicates the system detected, but did not block, an exploit detected in the
connection. This occurs when the state of the triggered intrusion rule is set to
Generate Events
.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the
system only populates this field for ASA FirePOWER devices in multi-context mode.
system only populates this field for ASA FirePOWER devices in multi-context mode.
Security Intelligence Category
The name of the blacklisted object that represents or contains the blacklisted IP address in the
connection. The Security Intelligence category can be the name of a network object or group, the
global blacklist, a custom Security Intelligence list or feed, or one of the categories in the Cisco
Intelligence Feed. Note that this field is only populated if the
connection. The Security Intelligence category can be the name of a network object or group, the
global blacklist, a custom Security Intelligence list or feed, or one of the categories in the Cisco
Intelligence Feed. Note that this field is only populated if the
Reason
is
IP Block
or
IP Monitor
;
entries in Security Intelligence event views always display a reason. For more information, see
Note also that neither the DC500 Defense Center nor Series 2 devices support this feature.
Source Device
The IP address of the NetFlow-enabled device that exported the data for the connection. If the
connection was detected by a managed device, this field contains a value of
connection was detected by a managed device, this field contains a value of
FireSIGHT
.
Source Port/ICMP Type or Destination Port/ICMP Code
The port, ICMP type, or ICMP code used by the session initiator or session responder.
TCP Flags
The TCP flags detected in the connection.
Time
The ending time of the five-minute interval that the system used to aggregate connections in a
connection summary.
connection summary.
URL, URL Category, and URL Reputation
The URL requested by the monitored host during the session and its associated category and
reputation, if available.
reputation, if available.
If the system identifies or blocks an SSL application, the requested URL is in encrypted traffic, so
the system identifies the traffic based on an SSL certificate. For SSL applications, therefore, this
field indicates the common name contained in the certificate. For more information see
the system identifies the traffic based on an SSL certificate. For SSL applications, therefore, this
field indicates the common name contained in the certificate. For more information see
Note that neither the DC500 Defense Center nor Series 2 devices support URL category or
reputation data.
reputation data.
Web Application
The web application, which represents the content or requested URL for HTTP traffic detected in
the connection.
the connection.
If the web application does not match the URL for the event, the traffic is probably referred traffic,
such as advertisement traffic. If the system detects referred traffic, it stores the referring application
(if available) and lists that application as the web application.
such as advertisement traffic. If the system detects referred traffic, it stores the referring application
(if available) and lists that application as the web application.