Cisco Cisco Firepower Management Center 4000
16-28
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Searching for Connection and Security Intelligence Data
•
Many IMAP-capable email clients use a single IMAP session, which ends only when the user exits
the application. Although long-running connections are logged by the system (see
the application. Although long-running connections are logged by the system (see
), files downloaded in the session are not associated with the connection
until the session ends.
Note also that neither Series 2 devices nor the DC500 Defense Center support network-based advanced
malware protection.
malware protection.
Viewing Intrusion Events Associated with a Connection
License:
Protection
If you associate an intrusion policy with an access control rule or default action, the system can detect
exploits in matching traffic. Using the event viewer, you can see the intrusion events, if any, associated
with logged connections.
exploits in matching traffic. Using the event viewer, you can see the intrusion events, if any, associated
with logged connections.
Instead of a list of events, the Defense Center displays the view intrusion events icon (
) in the
Intrusion
Events
column. Clicking on the icon does not drill down to the next workflow page or constrain
connection events. Instead, it displays a pop-up window with a list of the intrusion events associated with
the connection, as well as their priority and impact.
the connection, as well as their priority and impact.
In the pop-up window, you can click a listed event’s view icon (
) to view details in the packet view.
You can also click
View Intrusion Events
to view details on all of the connection’s associated intrusion
events.
Tip
To quickly view intrusion events associated with one or more connections, select the connections using
the check boxes in the event viewer, then select
the check boxes in the event viewer, then select
Intrusion Events
from the
Jump to
drop-down list. You can
view the connections associated with intrusion events in a similar way. For more information, see
.
When you view associated events, the Defense Center uses your default intrusion events workflow. For
more information on intrusion events, see
more information on intrusion events, see
Searching for Connection and Security Intelligence Data
License:
Any
Using the Defense Center’s Search page, you can search for specific connection events, Security
Intelligence events (Protection license required; not supported on Series 2 managed devices or DC500
Defense Centers), or connection summaries; display the results in the event viewer; and save your search
criteria to reuse later. Custom Analysis dashboard widgets, report templates, and custom user roles can
also use saved searches.
Intelligence events (Protection license required; not supported on Series 2 managed devices or DC500
Defense Centers), or connection summaries; display the results in the event viewer; and save your search
criteria to reuse later. Custom Analysis dashboard widgets, report templates, and custom user roles can
also use saved searches.
Searches delivered with the system, labeled with
(
Cisco
)
in the Saved Searches list, serve as examples.
Because connection graphs are based on connection summaries, the same criteria that constrain
connection summaries also constrain connection graphs. Fields marked with an asterisk (
connection summaries also constrain connection graphs. Fields marked with an asterisk (
*
) constrain
connection graphs and connection summaries, as well as individual connection or Security Intelligence
events.
events.
If you search connection summaries using invalid search constraints and view your results using a
connection summary page in a custom workflow, the invalid constraints are labeled as not applicable
(N/A) and are marked with a strikethrough, as shown in the following graphic.
connection summary page in a custom workflow, the invalid constraints are labeled as not applicable
(N/A) and are marked with a strikethrough, as shown in the following graphic.