Cisco Cisco Firepower Management Center 4000
Version 5.3.0.2
Sourcefire 3D System Release Notes
39
Features Introduced in Previous Versions
AMP Cloud Connectivity
L
ICENSE
: Malware, URL Filtering
S
UPPORTED
D
EFENSE
C
ENTERS
: Any except DC500
Prior to Version 5.3, to connect to the Sourcefire cloud you had to use TCP Port
32137 and a direct connection from the Defense Center to the cloud.
Version 5.3 introduced proxy support for connecting to the Sourcefire cloud to do
Version 5.3 introduced proxy support for connecting to the Sourcefire cloud to do
malware detection and dynamic analysis. Previously, you had to use TCP port
32137, but now the default connection is made over TCP port 443 to allow more
organizations to connect and use Sourcefire’s advanced malware intelligence.
Use of port 32137 is still supported, but is no longer the default.
Note that if you are updating to Version 5.3 from a previous version of the
Note that if you are updating to Version 5.3 from a previous version of the
Sourcefire 3D System, use of legacy port 32137 is enabled by default. If you want
to connect via port 443 after updating, deselect the checkbox on the Cloud
Services page (System > Local > Configuration > Cloud Services).
Host and Event Correlation IOC Style (Indications of Compromise)
L
ICENSE
: FireSIGHT + Protection or FireAMP subscription
S
UPPORTED
D
EVICES
: Feature dependent
S
UPPORTED
D
EFENSE
C
ENTERS
: Feature dependent
Host and event correlation introduced the ability to pinpoint the hosts on your
network that may have been compromised by an attack. Host and event
correlation aggregates data from intrusion events, connection events, Security
Intelligence events, and FireAMP events to help you quickly diagnose and contain
security breaches on your network.
This feature introduced Sourcefire-provided Indications of Compromise (IOC)
This feature introduced Sourcefire-provided Indications of Compromise (IOC)
rules that allow you to control whether the system generates IOC events for
particular types of compromise and correlates those events with the host
involved. At the time of event generation, the system sets an IOC tag on the
affected host impacted by that IOC event. Hosts that have the most IOC events
associated with them from unique detection sources are those that are most
likely compromised. Once you have resolved the breach, the IOC tags are
removed. IOC events and host tags are viewable in the host profile, network map,
Context Explorer, dashboard, and event viewers.
Enhanced Security Intelligence Event Storage and Views
L
ICENSE
: Protection
S
UPPORTED
D
EVICES
: Series 3, Virtual, X-Series
S
UPPORTED
D
EFENSE
C
ENTERS
: Any except DC500
If your system is configured to blacklist traffic or monitor blacklisted traffic based
on Security Intelligence data, you can now view Security Intelligence events in
dashboards and in the Context Explorer. Security Intelligence events, although
similar to connection events, are stored and pruned separately and have their own
event view, workflows, and Custom Analysis dashboard widget presets.