Cisco Cisco Firepower Management Center 4000
16-12
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
Egress Security Zone
yes
no
yes
yes
yes
yes
Source Port/ICMP Code
yes
yes
yes
yes
yes
no
Destination Port/ICMP Type
yes
yes
yes
yes
yes
yes
Application Protocol
yes
yes
if available
yes
yes
yes
Client
yes
no
if available
yes
yes
no
Client Version
yes
no
if available
yes
yes
no
Web Application
yes
no
if available
yes
yes
no
Category, Tag (Application
Protocol, Client, Web Application)
Protocol, Client, Web Application)
yes
no
if available
yes
yes
no
Application Risk
yes
no
if available
yes
yes
no
Business Relevance
yes
no
if available
yes
yes
no
URL
yes
no
if available
yes
yes
no
URL Category
yes
no
if available
yes
yes
no
URL Reputation
yes
no
if available
yes
yes
no
IOC
yes
no
yes
yes
yes
no
Intrusion Events
yes
no
no
yes
yes
no
Files
yes
no
no
yes
yes
no
Access Control Policy
yes
no
yes
yes
yes
no
Access Control Rule
yes
no
yes
yes
yes
no
Device
yes
yes
yes
yes
yes
yes
Ingress Interface
yes
no
yes
yes
yes
yes
Egress Interface
yes
no
yes
yes
yes
yes
Security Context (ASA only)
yes
no
yes
yes
yes
yes
TCP Flags
no
yes
no
yes
yes
no
NetFlow Destination/Source
Autonomous System
Autonomous System
no
yes
no
yes
yes
no
NetFlow Destination/Source
Prefix
Prefix
no
yes
no
yes
yes
no
NetFlow Destination/Source TOS
no
yes
no
yes
yes
no
NetFlow SNMP Input/Output
no
yes
no
yes
yes
no
Source Device
yes
yes
FireSIGHT
yes
yes
yes
NetBIOS Domain
yes
no
yes
yes
yes
no
Initiator Packets
yes
yes
not useful
yes
yes
yes
Responder Packets
yes
yes
not useful
yes
yes
yes
Initiator Bytes
yes
yes
not useful
yes
yes
yes
Responder Bytes
yes
yes
not useful
yes
yes
yes
Table 16-2
Connection and Security Intelligence Data Based on Logging and Detection Methods (continued)
Field
Detection Method:
Logging Method:
Connection Event:
FireSIGHT
NetFlow
Start
End
Single
Summary