Cisco Cisco FirePOWER Appliance 8390
38-22
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Hosts
–
User:
user_name
–
Application:
app_name
–
Scanner:
scanner_type
(Nmap or scanner added through network discovery configuration)
–
FireSIGHT, for operating systems detected by the system
The system may reconcile data from multiple sources to determine the identity of an operating
system; see
system; see
Confidence
One of:
–
the percentage of confidence that the system has in the identity of the operating system running
on the host, for hosts detected by the system
on the host, for hosts detected by the system
–
100%, for operating systems identified by an active source, such as the host input feature or
Nmap scanner
Nmap scanner
–
unknown
, for hosts for which the system cannot determine an operating system identity, and for
hosts added to the network map based on NetFlow data
Notes
The user-defined content of the Notes host attribute.
Device
Either:
–
the managed device that detected the traffic or
–
the device that processed the NetFlow or host input data that added the host to the network map
–
If this field is blank, either:
–
the host was added to the network map by a device that is not explicitly monitoring the network
where the host resides, as defined in the network discovery policy, or
where the host resides, as defined in the network discovery policy, or
–
the host was added using the host input feature and has not also been detected by the system
Count
The number of events that match the information that appears in each row. Note that the Count field
appears only after you apply a constraint that creates two or more identical rows.
appears only after you apply a constraint that creates two or more identical rows.
Creating a Traffic Profile for Selected Hosts
License:
FireSIGHT
A traffic profile is a profile of the traffic on your network, based on connection data collected over a
timespan that you specify. After you create a traffic profile, you can detect abnormal network traffic by
evaluating new traffic against your profile, which presumably represents normal network traffic.
timespan that you specify. After you create a traffic profile, you can detect abnormal network traffic by
evaluating new traffic against your profile, which presumably represents normal network traffic.
You can use the Hosts page to create a traffic profile for a group of hosts that you specify. The traffic
profile will be based on connections detected where one of the hosts you specify is the initiating host.
Use the sort and search features to isolate the hosts for which you want to create a profile.
profile will be based on connections detected where one of the hosts you specify is the initiating host.
Use the sort and search features to isolate the hosts for which you want to create a profile.
To create a traffic profile for selected hosts:
Access:
Admin