Cisco Cisco Firepower Management Center 4000
18-10
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Events
Application Protocol
The application protocol, if available, which represents communications between hosts, detected in
the traffic that triggered the intrusion event. For information on how the FireSIGHT System
identifies detected application protocols in the Defense Center web interface, see the
the traffic that triggered the intrusion event. For information on how the FireSIGHT System
identifies detected application protocols in the Defense Center web interface, see the
table.
Client
The client application, if available, which represents software running on the monitored host
detected in the traffic that triggered the intrusion event.
detected in the traffic that triggered the intrusion event.
Web Application
The web application, which represents the content or requested URL for HTTP traffic detected in
the traffic that triggered the intrusion event.
the traffic that triggered the intrusion event.
Note that if the system detects an application protocol of HTTP but cannot detect a specific web
application, the system supplies a generic web browsing designation here.
application, the system supplies a generic web browsing designation here.
IOC
Whether the traffic that triggered the intrusion event also triggered an indication of compromise
(IOC) for a host involved in the connection. For more information on IOC, see
(IOC) for a host involved in the connection. For more information on IOC, see
.
Category, Tag (Application Protocol, Client, Web Application)
Criteria that characterize an application to help you understand the application's function. For more
information, see the
information, see the
Application Risk
The risk associated with detected applications in the traffic that triggered the intrusion event. Each
type of application detected in a connection has an associated risk; this field displays the highest
risk of those. For more information, see the
type of application detected in a connection has an associated risk; this field displays the highest
risk of those. For more information, see the
table.
Business Relevance
The business relevance associated with detected applications in the traffic that triggered the
intrusion event. Each type of application detected in a connection has an associated business
relevance; this field displays the lowest (least relevant) of those. For more information, see the
intrusion event. Each type of application detected in a connection has an associated business
relevance; this field displays the lowest (least relevant) of those. For more information, see the
table.
Ingress Security Zone
The ingress security zone of the packet that triggered the event. Only this security zone field is
populated in a passive deployment. See
populated in a passive deployment. See
Egress Security Zone
For an inline deployment, the egress security zone of the packet that triggered the event. This
security zone field is not populated in a passive deployment. See
security zone field is not populated in a passive deployment. See
.
Device
The managed device where the access control policy was applied. See
.