Cisco Cisco FirePOWER Appliance 8140
16-10
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
If the system cannot identify the specific web application in HTTP traffic, this field displays
Web
Browsing
.
Information Available in Connection and Security Intelligence Events
License:
feature dependent
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
The information available for any individual connection, connection summary, or Security Intelligence
event depends on several factors. Security Intelligence events require a Protection license. Note that
neither the DC500 Defense Center nor Series 2 managed devices support the Security Intelligence
feature.
event depends on several factors. Security Intelligence events require a Protection license. Note that
neither the DC500 Defense Center nor Series 2 managed devices support the Security Intelligence
feature.
Detection Method
With the exception of TCP flags and NetFlow autonomous system, prefix, and TOS data, the
information available in NetFlow records is more limited than the information generated by
monitoring network traffic using managed devices. For more information, see the
information available in NetFlow records is more limited than the information generated by
monitoring network traffic using managed devices. For more information, see the
table.
Logging Method
For connections detected directly by managed devices, you can log a connection event at the
beginning or end of a connection, or both — depending on the access control rule action, default
action, or Security Intelligence blacklist. NetFlow-based connections are considered
end-of-connection.
beginning or end of a connection, or both — depending on the access control rule action, default
action, or Security Intelligence blacklist. NetFlow-based connections are considered
end-of-connection.
Beginning-of-connection events do not have information that must be determined by examining
traffic over the duration of the session (for example, the total amount of data transmitted or the
timestamp of the last packet in the connection). Beginning-of-connection events are also not
guaranteed to have information about application or URL traffic in the session.
traffic over the duration of the session (for example, the total amount of data transmitted or the
timestamp of the last packet in the connection). Beginning-of-connection events are also not
guaranteed to have information about application or URL traffic in the session.
Associated File and Intrusion Policies
Only connections logged by access control rules with associated file policies contain file
information. Similarly, you must associate intrusion policies with either access control rules or the
default action to view intrusion information in the connection log.
information. Similarly, you must associate intrusion policies with either access control rules or the
default action to view intrusion information in the connection log.
Connection Event Type
Connection summaries do not contain all of the information associated with their aggregated
connections. For example, because client information is not used to aggregate connections into
connection summaries, summaries do not contain client information.
connections. For example, because client information is not used to aggregate connections into
connection summaries, summaries do not contain client information.
Keep in mind that connection graphs are based on connection summary data, which use only
end-of-connection logs. If you logged only beginning-of-connection data, connection graphs and
connection summary event views contain no data.
end-of-connection logs. If you logged only beginning-of-connection data, connection graphs and
connection summary event views contain no data.
Traffic Type
The system only reports information present in the traffic. For example, non-HTTP traffic does not
contain information on URLs or web applications. Or, there could be no user associated with the
initiator host.
contain information on URLs or web applications. Or, there could be no user associated with the
initiator host.