Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Firepower Management Center 4000

Cisco Cisco Firepower Management Center 4000

Download
Page of 1844
 
16-28
FireSIGHT System User Guide
 
Chapter 16      Working with Connection & Security Intelligence Data 
  Searching for Connection and Security Intelligence Data
  •
Many IMAP-capable email clients use a single IMAP session, which ends only when the user exits 
the application. Although long-running connections are logged by the system (see 
), files downloaded in the session are not associated with the connection 
until the session ends. 
Note also that neither Series 2 devices nor the DC500 Defense Center support network-based advanced 
malware protection. 
Viewing Intrusion Events Associated with a Connection
License: 
Protection
If you associate an intrusion policy with an access control rule or default action, the system can detect 
exploits in matching traffic. Using the event viewer, you can see the intrusion events, if any, associated 
with logged connections.
Instead of a list of events, the Defense Center displays the view intrusion events icon (
) in the 
Intrusion 
Events
 column. Clicking on the icon does not drill down to the next workflow page or constrain 
connection events. Instead, it displays a pop-up window with a list of the intrusion events associated with 
the connection, as well as their priority and impact.
In the pop-up window, you can click a listed event’s view icon (
) to view details in the packet view. 
You can also click 
View Intrusion Events
 to view details on all of the connection’s associated intrusion 
events.
Tip
To quickly view intrusion events associated with one or more connections, select the connections using 
the check boxes in the event viewer, then select 
Intrusion Events
 from the 
Jump to
 drop-down list. You can 
view the connections associated with intrusion events in a similar way. For more information, see 
.
When you view associated events, the Defense Center uses your default intrusion events workflow. For 
more information on intrusion events, see 
Searching for Connection and Security Intelligence Data
License: 
Any
Using the Defense Center’s Search page, you can search for specific connection events, Security 
Intelligence events (Protection license required; not supported on Series 2 managed devices or DC500 
Defense Centers), or connection summaries; display the results in the event viewer; and save your search 
criteria to reuse later. Custom Analysis dashboard widgets, report templates, and custom user roles can 
also use saved searches. 
Searches delivered with the system, labeled with 
(
Cisco
)
 in the Saved Searches list, serve as examples.
Because connection graphs are based on connection summaries, the same criteria that constrain 
connection summaries also constrain connection graphs. Fields marked with an asterisk (
*
) constrain 
connection graphs and connection summaries, as well as individual connection or Security Intelligence 
events.
If you search connection summaries using invalid search constraints and view your results using a 
connection summary page in a custom workflow, the invalid constraints are labeled as not applicable 
(N/A) and are marked with a strikethrough, as shown in the following graphic.