Cisco Cisco Firepower Management Center 4000

When a compliance white list is violated, the system generates a white list event. The fields in the white 
list events table are described in the following table.

FireSIGHT

Time

The date and time that the white list event was generated.

IP Address

The IP address of the non-compliant host.

User

The identity of any known user logged in to the non-compliant host.

Port

The port, if any, associated with the event that triggered an application protocol 
white list violation (a violation that occurred as a result of a non-compliant 
application protocol). For other types of white list violations, this field is blank.

Description

A description of how the white list was violated. For example:

Client “AOL Instant Messenger” is not allowed.

Violations that involve an application protocol indicate the application protocol 
name and version, as well as the port and protocol (TCP or UDP) it is using. If 
you restrict prohibitions to a particular operating system, the description 
includes the operating system name. For example:

Server "ssh / 22 TCP ( OpenSSH 3.6.1p2 )" is not

 

allowed on Operating System “Linux Linux 2.4 or

 

2.6”.

Policy

The name of the correlation policy that was violated, that is, the correlation 
policy that includes the white list.

White List

The name of the white list.

Priority

The priority specified by the policy or white list that triggered the policy 
violation. For information on setting correlation rule and policy priorities, see 

 and 

.

Host Criticality

The user-assigned host criticality of the host that is out of compliance with the 
white list: 

None

, 

Low

, 

Medium

, or 

High

. For more information on host criticality, 

see 

.

Device

The name of the managed device that detected the white list violation.

Count

The number of events that match the information that appears in each row. Note 
that the Count field appears only after you apply a constraint that creates two or 
more identical rows.