Cisco Cisco FirePOWER Appliance 7010
18-21
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Step 1
table for more information.
The packet view appears. If you selected more than one event, you can page through the packets by using
the page numbers at the bottom of the page.
the page numbers at the bottom of the page.
Viewing Event Information
License:
Protection
On the packet view, you can view information about the packet in the Event Information section.
Event
The event message. For rule-based events, this corresponds to the rule message. For other events,
this is determined by the decoder or preprocessor.
this is determined by the decoder or preprocessor.
The ID for the event is appended to the message in the format
(GID:SID:Rev)
.
GID
is the generator
ID of the rules engine, the decoder, or the preprocessor that generated the event.
SID
is the identifier
for the rule, decoder message, or preprocessor message.
Rev
is the revision number of the rule. For
.
Timestamp
The time that the packet was captured.
Classification
The event classification. For rule-based events, this corresponds to the rule classification. For other
events, this is determined by the decoder or preprocessor.
events, this is determined by the decoder or preprocessor.
Priority
The event priority. For rule-based events, this corresponds to either the value of the
priority
keyword or the value for the
classtype
keyword. For other events, this is determined by the decoder
or preprocessor.
Ingress Security Zone
The ingress security zone of the packet that triggered the event. Only this security zone field is
populated in a passive deployment. See
populated in a passive deployment. See
Egress Security Zone
For an inline deployment, the egress security zone of the packet that triggered the event. See
.
Device
The managed device where the access control policy was applied. See
.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the
system only populates this field for ASA FirePOWER devices in multi-context mode.
system only populates this field for ASA FirePOWER devices in multi-context mode.