Cisco Cisco Firepower Management Center 4000
16-5
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
Each connection table view or connection graph contains information about the connections or
connection summaries you are viewing, including timestamps, IP addresses, geolocation information,
applications, and so on. Security Intelligence event views contain the same general information as
connection event views, but list only connections with assigned
connection summaries you are viewing, including timestamps, IP addresses, geolocation information,
applications, and so on. Security Intelligence event views contain the same general information as
connection event views, but list only connections with assigned
Security Intelligence Category
values.
Because NetFlow-logged connection data cannot have a
Security Intelligence Category
value, NetFlow data
fields are never populated in Security Intelligence events. To view Security Intelligence events, your
appliance must have a Protection license. Note that neither the DC500 Defense Center nor Series 2
managed devices support the Security Intelligence feature.
appliance must have a Protection license. Note that neither the DC500 Defense Center nor Series 2
managed devices support the Security Intelligence feature.
The following list details the connection data logged by the FireSIGHT System. For a discussion of the
factors that determine the information logged in any individual connection or Security Intelligence
event, see the next section:
factors that determine the information logged in any individual connection or Security Intelligence
event, see the next section:
. Note that some data fields are available only if certain license requirements are met; see the
table for further information.
Access Control Policy
The access control policy that contains the access control rule or default action that logged the
connection.
connection.
Access Control Rule
The access control rule or default action that handled the connection, as well as up to eight Monitor
rules matched by that connection.
rules matched by that connection.
If the connection matched one Monitor rule, the Defense Center displays the name of the rule that
handled the connection, followed by the Monitor rule name. If the connection matched more than
one Monitor rule, the event viewer displays how many Monitor rules it matched, for example,
handled the connection, followed by the Monitor rule name. If the connection matched more than
one Monitor rule, the event viewer displays how many Monitor rules it matched, for example,
Default Action + 2 Monitor Rules
.
To display a pop-up window with a list of the first eight Monitor rules matched by the connection,
click N
click N
Monitor Rules
.
Action
The action associated with the access control rule or default action that logged the connection:
–
Allow
represents explicitly allowed and user-bypassed interactively blocked connections.
–
Trust
represents trusted connections. Note that the system logs TCP connections detected by a
trust rule differently depending on the appliance.
On Series 2, virtual appliances, and Sourcefire Software for X-Series, TCP connections
detected by a trust rule on the first packet only generate an end-of-connection event. The system
generates the event one hour after the final session packet.
detected by a trust rule on the first packet only generate an end-of-connection event. The system
generates the event one hour after the final session packet.
On Series 3 appliances, TCP connections detected by a trust rule on the first packet generate
different events depending on the presence of a monitor rule. If the monitor rule is active, the
system evaluates the packet and generates both a beginning and end-of-connection event. If no
monitor rule is active, the system only generates an end-of-connection event.
different events depending on the presence of a monitor rule. If the monitor rule is active, the
system evaluates the packet and generates both a beginning and end-of-connection event. If no
monitor rule is active, the system only generates an end-of-connection event.
–
Block
and
Block with reset
represent blocked connections. The system also associates the
Block
action with connections blacklisted by Security Intelligence, connections where an
exploit was detected by an intrusion policy, and connections where a file was blocked by a file
policy.
policy.
–
Interactive Block
and
Interactive Block with reset
mark the beginning-of-connection
event that you can log when the system initially blocks a user’s HTTP request using an
Interactive Block rule. If the user clicks through the warning page that the system displays, any
additional connection events you log for the session have an action of
Interactive Block rule. If the user clicks through the warning page that the system displays, any
additional connection events you log for the session have an action of
Allow
.