Cisco Cisco FirePOWER Appliance 7010
C H A P T E R
16-1
FireSIGHT System User Guide
16
Working with Connection & Security
Intelligence Data
Intelligence Data
FireSIGHT System managed devices continuously monitor traffic generated by the hosts on your
network. You can use the access control feature to generate connection events when network traffic
matches specific conditions. Connection events contain data about the detected sessions, including
timestamps, IP addresses, geolocation, applications, and so on.
network. You can use the access control feature to generate connection events when network traffic
matches specific conditions. Connection events contain data about the detected sessions, including
timestamps, IP addresses, geolocation, applications, and so on.
If your system is configured to blacklist traffic or monitor blacklisted traffic based on Security
Intelligence data (Protection license required), you can view Security Intelligence events, which are a
special kind of connection event that represents the decision to blacklist or monitor. Security Intelligence
events, although similar, are stored and pruned separately, and have their own event view, workflows,
and Custom Analysis dashboard widget presets. Because Security Intelligence events are a subset of
connection events, general information about connection events pertains to Security Intelligence events
as well (unless otherwise noted). For more information on Security Intelligence, see
Intelligence data (Protection license required), you can view Security Intelligence events, which are a
special kind of connection event that represents the decision to blacklist or monitor. Security Intelligence
events, although similar, are stored and pruned separately, and have their own event view, workflows,
and Custom Analysis dashboard widget presets. Because Security Intelligence events are a subset of
connection events, general information about connection events pertains to Security Intelligence events
as well (unless otherwise noted). For more information on Security Intelligence, see
and
Logging connection events to the Defense Center database allows you to take advantage of the analysis,
reporting, and correlation features in the FireSIGHT System. Optionally, you can send most connection
events to the syslog or an SNMP trap server.
reporting, and correlation features in the FireSIGHT System. Optionally, you can send most connection
events to the syslog or an SNMP trap server.
To supplement the connection data gathered by your managed devices, you can use records generated by
NetFlow-enabled devices to generate connection events. This is especially useful if you have
NetFlow-enabled devices deployed on networks that your Cisco managed devices cannot monitor.
NetFlow-enabled devices to generate connection events. This is especially useful if you have
NetFlow-enabled devices deployed on networks that your Cisco managed devices cannot monitor.
To further enhance the geolocation information provided with many connection events, you can
configure geolocation updates for your system. For more information on geolocation, see
configure geolocation updates for your system. For more information on geolocation, see
For more information, see:
•
•
•
•
•
•
•