Cisco Cisco Firepower Management Center 4000
18-8
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Events
The following list describes the information that an intrusion event contains. Note that some fields in the
table view of intrusion events are disabled by default. To enable a field for the duration of your session,
click the expand arrow (
table view of intrusion events are disabled by default. To enable a field for the duration of your session,
click the expand arrow (
) to expand the search constraints, then click the column name under
Disabled
Columns
.
Time
The date and time of the event.
Priority
The event priority as determined by the Cisco VRT.
Impact
The impact level in this field indicates the correlation between intrusion data, network discovery
data, and vulnerability information. For more information, see
data, and vulnerability information. For more information, see
Note that because there is no operating system information available for hosts added to the network
map based on NetFlow data, the Defense Center cannot assign Vulnerable (impact level 1: red)
impact levels for intrusion events involving those hosts, unless you use the host input feature to
manually set the host operating system identity.
map based on NetFlow data, the Defense Center cannot assign Vulnerable (impact level 1: red)
impact levels for intrusion events involving those hosts, unless you use the host input feature to
manually set the host operating system identity.
Inline Result
One of the following:
•
a black down arrow, indicating that the system dropped the packet that triggered the rule
•
a gray down arrow, indicating that IPS would have dropped the packet if you enabled the
Drop when
Inline
intrusion policy option (in an inline deployment), or if a Drop and Generate rule generated the
event while the system was pruning
•
blank, indicating that the triggered rule was not set to Drop and Generate Events
Note that the system does not drop packets in a passive deployment, including when an inline
interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion
policy. For more information, see
interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion
policy. For more information, see
,
, and
.
Source IP
The IP address used by the sending host.
Source Country
The country of the sending host.
Destination IP
The IP address used by the receiving host.
Destination Country
The country of the receiving host.
Original Client IP
The original client IP address that was extracted from an X-Forwarded-For (XFF), True-Client-IP,
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP
preprocessor
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP
preprocessor
Extract Original Client IP Address
option in the network analysis policy. Optionally, in the