Cisco Cisco FirePOWER Appliance 7020
16-13
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Viewing Connection and Security Intelligence Data
Uses for Connection Data in the FireSIGHT System
License:
Any
Logging connection data to the Defense Center database allows you to take advantage of many features
in the FireSIGHT System, including:
in the FireSIGHT System, including:
•
viewing the Connection Summary dashboard, which provides you with an at-a-glance view of the
connections logged by the system; see
connections logged by the system; see
•
viewing detailed information on the connections logged by the system, which you can display in a
graphical or tabular format; see
graphical or tabular format; see
•
creating reports based on the connections logged by the system; see
•
using connection data to create and view a profile of your normal network traffic, called a traffic
profile; see
profile; see
•
creating correlation rules that trigger and generate correlation events when the system detects
certain connection data, or when a traffic profile changes; see
certain connection data, or when a traffic profile changes; see
•
adding connection trackers to correlation rules, so that after the rule’s initial criteria are met, the
system begins tracking certain connections and only generates a correlation event if the tracked
connections meet additional criteria; see
system begins tracking certain connections and only generates a correlation event if the tracked
connections meet additional criteria; see
Viewing Connection and Security Intelligence Data
License:
feature dependent
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
To help you gain in-depth insight to connection data, the system can present connection data both
graphically and in a tabular format. The page you see when you access connection data differs depending
on the workflow you use. You can use one of the predefined workflows or create a custom workflow that
displays only the information that matches your specific needs.
graphically and in a tabular format. The page you see when you access connection data differs depending
on the workflow you use. You can use one of the predefined workflows or create a custom workflow that
displays only the information that matches your specific needs.
Security Intelligence events require a Protection license and appear in table form only. Security
Intelligence data is not supported on Series 2 managed devices or on DC500 Defense Centers. You
cannot create data graphs from Security Intelligence events, although their connection event
counterparts are viewable in graph form. For interactive graphic views of Security Intelligence data, you
can view the Security Intelligence section of the Context Explorer. See
Intelligence data is not supported on Series 2 managed devices or on DC500 Defense Centers. You
cannot create data graphs from Security Intelligence events, although their connection event
counterparts are viewable in graph form. For interactive graphic views of Security Intelligence data, you
can view the Security Intelligence section of the Context Explorer. See
for more information.
Connections
yes
yes
no
yes
no
yes
Count
yes
yes
yes
yes
yes
no
Table 16-2
Connection and Security Intelligence Data Based on Logging and Detection Methods (continued)
Field
Detection Method:
Logging Method:
Connection Event:
FireSIGHT
NetFlow
Start
End
Single
Summary