Cisco Cisco FirePOWER Appliance 8250
36-2
FireSIGHT System User Guide
Chapter 36 Using the Network Map
Working with the Hosts Network Map
The Defense Center gathers data from all security zones where discovery policies are applied (including
zones that process data from NetFlow-enabled devices). If multiple devices detect the same network
asset, the Defense Center combines the information into a composite representation of the asset.
zones that process data from NetFlow-enabled devices). If multiple devices detect the same network
asset, the Defense Center combines the information into a composite representation of the asset.
Although you can configure your network discovery policy to add data exported by NetFlow-enabled
devices, the available information about these hosts is limited. For example, there is no operating system
data available for these hosts, unless you provide it using the host input feature. For more information,
see
devices, the available information about these hosts is limited. For example, there is no operating system
data available for these hosts, unless you provide it using the host input feature. For more information,
see
From any network map, you can view any host’s host profile, which provides a complete view of all the
information collected by the system for that host. The host profile contains general information, such as
the host name, operating system, and all associated IP addresses, as well as more specific information
including detected protocols, applications, indications of compromise, and clients that are running on
the host. The host profile also includes information about the vulnerabilities associated with the host and
its detected assets. For more information on host profiles, see
information collected by the system for that host. The host profile contains general information, such as
the host name, operating system, and all associated IP addresses, as well as more specific information
including detected protocols, applications, indications of compromise, and clients that are running on
the host. The host profile also includes information about the vulnerabilities associated with the host and
its detected assets. For more information on host profiles, see
.
You can delete an item from the network map if you are no longer interested in investigating it. You can
delete hosts and applications from the network map; you can also delete or deactivate vulnerabilities. If
the system detects activity associated with a deleted host, it re-adds the host to the network map.
Similarly, deleted applications are re-added to the applications network map if the system detects a
change in the application (for example, if an Apache web server is upgraded to a new version).
Vulnerabilities are reactivated on specific hosts if the system detects a change that makes the host
vulnerable.
delete hosts and applications from the network map; you can also delete or deactivate vulnerabilities. If
the system detects activity associated with a deleted host, it re-adds the host to the network map.
Similarly, deleted applications are re-added to the applications network map if the system detects a
change in the application (for example, if an Apache web server is upgraded to a new version).
Vulnerabilities are reactivated on specific hosts if the system detects a change that makes the host
vulnerable.
You can also use the network map to deactivate vulnerabilities network-wide, which means that you
deem these hosts, which the system has judged to be vulnerable, to be safe from that particular attack or
exploit.
deem these hosts, which the system has judged to be vulnerable, to be safe from that particular attack or
exploit.
Tip
If you want to permanently exclude a host or subnet from the network map, modify the network
discovery policy. You may wish to exclude load balancers and NAT devices from monitoring. They may
create excessive and misleading events, filling the database and overloading the Defense Center. See
discovery policy. You may wish to exclude load balancers and NAT devices from monitoring. They may
create excessive and misleading events, filling the database and overloading the Defense Center. See
for more information.
Working with the Hosts Network Map
License:
FireSIGHT
Use the hosts network map to view the hosts on your network, organized by subnet in a hierarchical tree,
as well as to drill down to the host profiles for specific hosts. This network map view provides a count
of all unique hosts detected by the system, regardless of whether the hosts have one IP address or
multiple IP addresses.
as well as to drill down to the host profiles for specific hosts. This network map view provides a count
of all unique hosts detected by the system, regardless of whether the hosts have one IP address or
multiple IP addresses.
Although you can configure your network discovery policy to add hosts to the network map based on
data exported by NetFlow-enabled devices, the available information about these hosts is limited. For
example, there is no operating system data available for hosts added to the network map using NetFlow
data, unless you provide it using the host input feature.
data exported by NetFlow-enabled devices, the available information about these hosts is limited. For
example, there is no operating system data available for hosts added to the network map using NetFlow
data, unless you provide it using the host input feature.
By creating a custom topology for your network, you can assign meaningful labels to your subnets, such
as department names, that appear in the hosts network map.
as department names, that appear in the hosts network map.
You can also view the hosts network map according to the organization you specified in the custom
topology; see
topology; see
.