Cisco Cisco FirePOWER Appliance 8130
38-9
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Discovery and Host Input Events
See the following sections for more information:
•
•
•
•
•
Understanding Discovery Event Types
License:
FireSIGHT
There are many types of discovery events. For example, the system generates and logs a New Host event
when it detects a new host on your monitored network segment. When you view a table of discovery
events, the event type is listed in the
when it detects a new host on your monitored network segment. When you view a table of discovery
events, the event type is listed in the
Event
column. For more information, see
Contrast discovery events, which are generated when the system detects a change in your monitored
network (such as detecting traffic from a previously undetected host), with host input events, which are
generated when a user takes a specific action (such as manually adding a host). For more information on
host input events, see
network (such as detecting traffic from a previously undetected host), with host input events, which are
generated when a user takes a specific action (such as manually adding a host). For more information on
host input events, see
.
You can configure the types of discovery events the system logs by modifying your network discovery
policy. By default, the system logs all types of discovery events. For more information, see
policy. By default, the system logs all types of discovery events. For more information, see
If you understand the information the different types of discovery events provide, you can more
effectively determine which events you want to log and alert on, and how to use these alerts in correlation
policies. In addition, knowing the names of the event types can help you craft more effective event
searches. Descriptions of the different types of discovery events follow.
effectively determine which events you want to log and alert on, and how to use these alerts in correlation
policies. In addition, knowing the names of the event types can help you craft more effective event
searches. Descriptions of the different types of discovery events follow.
Additional MAC Detected for Host
This event is generated when the system detects a new MAC address for a previously discovered
host.
host.
This event is often generated when the system detects hosts passing traffic through a router. While
each host has a different IP address, they all appear to have the MAC address associated with the
router. When the system detects the actual MAC address associated with the IP address, it displays
the MAC address in bold text within the host profile and displays an “ARP/DHCP detected” message
within the event description in the event view.
each host has a different IP address, they all appear to have the MAC address associated with the
router. When the system detects the actual MAC address associated with the IP address, it displays
the MAC address in bold text within the host profile and displays an “ARP/DHCP detected” message
within the event description in the event view.
Client Timeout
This event is generated when the system drops a client from the database due to inactivity.
Client Update
This event is generated when the system detects a payload (that is, a specific type of content, such
as audio, video, or webmail) in HTTP traffic.
as audio, video, or webmail) in HTTP traffic.
DHCP: IP Address Changed
This event is generated when the system detects that a host IP address has changed due to DHCP
address assignment.
address assignment.