Cisco Cisco Firepower Management Center 4000
18-34
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using Impact Levels to Evaluate Events
To use the impact level on the table view to evaluate events:
Access:
Admin/Intrusion Admin
Step 1
Select
Analysis > Intrusions > Events
.
The first page of the default intrusion events workflow appears. For information on specifying a different
default workflow, see
default workflow, see
. If no events appear, you may need
to adjust the time range; see
.
Step 2
Constrain the event view to view only those events that you want to evaluate.
For more information, see
Step 3
At the top of the page, click
Table View of Events
.
The table view of events appears.
Impact
can have any of the values described in the
table.
Step 4
To sort the table by impact level, click
Impact
.
The events are sorted by impact level.
Table 18-6
Impact Levels
Impact Level
Vulnerability
Color
Description
Unknown
gray
Neither the source nor the destination host is on a
network that is monitored by network discovery.
network that is monitored by network discovery.
Vulnerable
red
Either:
•
the source or the destination host is in the
network map, and a vulnerability is mapped to
the host
network map, and a vulnerability is mapped to
the host
•
the source or destination host is potentially
compromised by a virus, trojan, or other piece
of malicious software; see
compromised by a virus, trojan, or other piece
of malicious software; see
for more information
Potentially
Vulnerable
Vulnerable
orange
Either the source or the destination host is in the
network map and one of the following is true:
network map and one of the following is true:
•
for port-oriented traffic, the port is running a
server application protocol
server application protocol
•
for non-port-oriented traffic, the host uses the
protocol
protocol
Currently Not
Vulnerable
Vulnerable
yellow
Either the source or the destination host is in the
network map and one of the following is true:
network map and one of the following is true:
•
for port-oriented traffic (for example, TCP or
UDP), the port is not open
UDP), the port is not open
•
for non-port-oriented traffic (for example,
ICMP), the host does not use the protocol
ICMP), the host does not use the protocol
Unknown Target
blue
Either the source or destination host is on a
monitored network, but there is no entry for the
host in the network map.
monitored network, but there is no entry for the
host in the network map.