для Cisco Cisco Firepower Management Center 4000
16-6
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
–
Default Action
indicates the connection was handled by the default action.
–
For Security Intelligence-monitored connections, the action is that of the first non-Monitor
access control rule triggered by the connection, or the default action. Similarly, because traffic
matching a Monitor rule is always handled by a subsequent rule or by the default action, the
action associated with a connection logged due to a monitor rule is never
access control rule triggered by the connection, or the default action. Similarly, because traffic
matching a Monitor rule is always handled by a subsequent rule or by the default action, the
action associated with a connection logged due to a monitor rule is never
Monitor
.
Application Protocol
The application protocol, which represents communications between hosts, detected in the
connection.
connection.
Application Risk
The risk associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated risk; this
field displays the highest of those. For more information, see the
table.
Business Relevance
The business relevance associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an
associated business relevance; this field displays the lowest (least relevant) of those. For more
information, see the
information, see the
Category, Tag (Application Protocol, Client, Web Application)
Criteria that characterize the application to help you understand the application's function. For more
information, see the
information, see the
Client and Client Version
The client application and version of that client detected in the connection.
If the system cannot identify the specific client used in the connection, this field displays
client
appended to the application protocol name to provide a generic name, for example,
FTP client
.
Connections
The number of connections in a connection summary. For long-running connections, that is,
connections that span multiple connection summary intervals, only the first connection summary
interval is incremented.
connections that span multiple connection summary intervals, only the first connection summary
interval is incremented.
Count
The number of connections that match the information that appears in each row. Note that the
Count
field appears only after you apply a constraint that creates two or more identical rows.
Note
If you create a custom workflow and do not add the
Count
column to a drill-down page, each
connection is listed individually and packets and bytes are not summed.
Device
The managed device that detected the connection or, for connections exported by NetFlow-enabled
devices, the managed device that processed the NetFlow data.
devices, the managed device that processed the NetFlow data.