Cisco Cisco FirePOWER Appliance 8250
16-3
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
The following sections provide additional details on the kinds of information available about detected
connections, as well as how you log, aggregate, and use connection data as part of your analysis:
connections, as well as how you log, aggregate, and use connection data as part of your analysis:
•
•
•
•
Understanding Connection Summaries
License:
Any
The FireSIGHT System aggregates connection data collected over five-minute intervals into connection
summaries, which the system uses to generate connection graphs and traffic profiles. Optionally, you can
create custom workflows based on connection summary data, which you use in the same way as you use
workflows based on individual connection events.
summaries, which the system uses to generate connection graphs and traffic profiles. Optionally, you can
create custom workflows based on connection summary data, which you use in the same way as you use
workflows based on individual connection events.
Note that there are no connection summaries specifically for Security Intelligence events, although
corresponding end-of-connection events can be aggregated into connection summary data.
corresponding end-of-connection events can be aggregated into connection summary data.
To be aggregated, multiple connections must:
•
represent the end of connections
•
have the same source and destination IP addresses, and use the same port on the responder
(destination) host
(destination) host
•
use the same protocol (TCP or UDP)
•
use the same application protocol
•
either be detected by the same Cisco managed device, or be exported by the same NetFlow-enabled
device
device
log connections:
•
that represent Security Intelligence filtering decisions (which includes all
Security Intelligence events)
Security Intelligence events)
•
in an access control rule that performs intrusion detection and prevention
•
in an access control rule that performs file control, but not advanced malware
protection
protection
Protection
log connections in an access control rule that performs advanced malware protection Malware
log connections in an access control rule that performs application or user control
Control
log connections in an access control rule with URL conditions that use URL category
and reputation data
and reputation data
display URL category and URL reputation information for URLs requested by
monitored hosts
monitored hosts
URL Filtering
Table 16-1
License Requirements for Logging Connection Data (continued)
To...
You need this
license...
license...