Cisco Cisco Firepower Management Center 4000
16-26
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Working with Connection and Security Intelligence Data Tables
Note that when you constrain connection events on a drill-down page, the packets and bytes from
identical events are summed. However, if you are using a custom workflow and did not add a
identical events are summed. However, if you are using a custom workflow and did not add a
Count
column to a drill-down page, the events are listed individually and packets and bytes are not summed.
The following sections contain information on viewing and analyzing connection and Security
Intelligence event tables:
Intelligence event tables:
•
provides detailed instructions on using the event
viewer.
•
provides information on how to view and interpret geolocation
information associated with connection and Security Intelligence events.
•
explains how to change the default workflow for
viewing connection and Security Intelligence event data.
•
and
provide details on the data in connection
and Security Intelligence events.
•
explains how to constrain
connection events using Monitor rule criteria.
•
explains how to view the files, including
malware files, detected or blocked in a connection.
•
explains how to view the
intrusion events associated with a connection.
Working with Events Associated with Monitor Rules
License:
Any
When you view logged connections using the event viewer, the Defense Center displays the access
control rule or default action that handled each connection, as well as up to eight Monitor rules matched
by each of those connections.
control rule or default action that handled each connection, as well as up to eight Monitor rules matched
by each of those connections.
If a connection matched one Monitor rule, the Defense Center displays the name of the rule that handled
the connection, followed by the Monitor rule name. If the connection matched more than one Monitor
rule, the event viewer displays how many Monitor rules it matched, for example,
the connection, followed by the Monitor rule name. If the connection matched more than one Monitor
rule, the event viewer displays how many Monitor rules it matched, for example,
Default Action + 2
Monitor Rules
.
You can constrain connection event views using matched Monitor rules, using either of the following:
•
the access control rule or default action that handled the connection
•
any individual Monitor rule matched by a connection
To constrain connection events using Monitor rule matching:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Connections > Events
.
The first page of the default connection data workflow appears.
Step 2
Display the workflow you want to use for your analysis. Make sure the drill-down page or table view
you are using shows the
you are using shows the
Access Control Rule
field.
Step 3
How do you want to constrain the events?