Cisco Cisco FirePOWER Appliance 8360
16-27
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Working with Connection and Security Intelligence Data Tables
•
to constrain on the access control rule or default action that handled the connection, click the rule
name or
name or
Default Action
.
•
to constrain on the only Monitor rule that matched a logged connection, click the Monitor rule name.
•
to constrain on one of several Monitor rules that matched a logged connection, click an N
Monitor
Rules
value. For example, click
2 Monitor Rules
.
The Monitor Rules pop-up window for that connection event appears, listing the first eight Monitor
rules matched by the connection. Click the Monitor rule name you want to use to constrain
connection events.
rules matched by the connection. Click the Monitor rule name you want to use to constrain
connection events.
Your events are constrained. If you were using a drill-down page, the event view advances to the next
page in the workflow.
page in the workflow.
Viewing Files Detected in a Connection
License:
Protection or Malware
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
If you associate a file policy with one or more access control rules, the system can detect files (including
malware) in matching traffic. Using the event viewer, you can see the file events, if any, associated with
the connections logged by those rules.
malware) in matching traffic. Using the event viewer, you can see the file events, if any, associated with
the connections logged by those rules.
Instead of a list of files, the Defense Center displays the view files icon (
) in the
Files
column. The
number on the icon indicates the number of files (including malware files) detected or blocked in that
connection. Clicking on the icon does not drill down to the next workflow page or constrain connection
events. Instead, it displays a pop-up window with a list of the files detected in the connection as well as
their types, and if applicable, their malware dispositions.
connection. Clicking on the icon does not drill down to the next workflow page or constrain connection
events. Instead, it displays a pop-up window with a list of the files detected in the connection as well as
their types, and if applicable, their malware dispositions.
In the pop-up window, you can click:
•
a file’s view icon (
) to view details in a table view of file events
•
a malware file’s view icon (
) to view details in a table view of malware events
•
a file’s trajectory icon (
) to track the file’s transmission through your network
•
View File Events
or
View Malware Events
to view details on all of the connection’s detected file or
network-based malware events
Tip
To quickly view file or malware events associated with one or more connections, select the connections
using the check boxes in the event viewer, then select
using the check boxes in the event viewer, then select
Malware Events
or
File Events
from the
Jump to
drop-down list. You can view the connections used to transmit files in a similar way. For more
information, see
information, see
When you view associated events, the Defense Center uses your default workflow for that event type.
For more information on file and malware events, see
For more information on file and malware events, see
. For more information on using the network file trajectory feature, see
.
Note that not all file and malware events are associated with connections, as follows:
•
Endpoint-based malware events are not associated with connections. Those events are generated by
FireAMP Connectors, instead of by the system inspecting network traffic.
FireAMP Connectors, instead of by the system inspecting network traffic.