Cisco Cisco Firepower Management Center 4000

Page of 1844
 
16-10
FireSIGHT System User Guide
 
Chapter 16      Working with Connection & Security Intelligence Data 
  Understanding Connection Data
If the system cannot identify the specific web application in HTTP traffic, this field displays 
Web 
Browsing
.
Information Available in Connection and Security Intelligence Events
License: 
feature dependent
Supported Devices: 
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers: 
Any except DC500
The information available for any individual connection, connection summary, or Security Intelligence 
event depends on several factors. Security Intelligence events require a Protection license. Note that 
neither the DC500 Defense Center nor Series 2 managed devices support the Security Intelligence 
feature.
Detection Method
With the exception of TCP flags and NetFlow autonomous system, prefix, and TOS data, the 
information available in NetFlow records is more limited than the information generated by 
monitoring network traffic using managed devices. For more information, see the 
 table.
Logging Method
For connections detected directly by managed devices, you can log a connection event at the 
beginning or end of a connection, or both — depending on the access control rule action, default 
action, or Security Intelligence blacklist. NetFlow-based connections are considered 
end-of-connection. 
Beginning-of-connection events do not have information that must be determined by examining 
traffic over the duration of the session (for example, the total amount of data transmitted or the 
timestamp of the last packet in the connection). Beginning-of-connection events are also not 
guaranteed to have information about application or URL traffic in the session.
Associated File and Intrusion Policies
Only connections logged by access control rules with associated file policies contain file 
information. Similarly, you must associate intrusion policies with either access control rules or the 
default action to view intrusion information in the connection log.
Connection Event Type
Connection summaries do not contain all of the information associated with their aggregated 
connections. For example, because client information is not used to aggregate connections into 
connection summaries, summaries do not contain client information.
Keep in mind that connection graphs are based on connection summary data, which use only 
end-of-connection logs. If you logged only beginning-of-connection data, connection graphs and 
connection summary event views contain no data.
Traffic Type
The system only reports information present in the traffic. For example, non-HTTP traffic does not 
contain information on URLs or web applications. Or, there could be no user associated with the 
initiator host.