Understanding Connection and Security Intelligence Data Fields
License:
feature dependent
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
Each connection table view or connection graph contains information about the connections or connection summaries you are viewing, including timestamps, IP addresses, geolocation information, applications, and so on. Security Intelligence event views contain the same general information as connection event views, but list only connections with assigned
Security Intelligence Category
values.
Note The information available for any individual connection or Security Intelligence event depends on several factors, including licenses and appliance model. For more information, see License and Model Requirements for Connection Logging.
The following list details the connection data logged by the FireSIGHT System. For a discussion of the factors that determine the information logged in any individual connection or Security Intelligence event, see the next section: Information Available in Connection and Security Intelligence Events.
Access Control Policy
The access control policy that monitored the connection.
Access Control Rule
The access control rule or default action that handled the connection, as well as up to eight Monitor rules matched by that connection.
If the connection matched one Monitor rule, the Defense Center displays the name of the rule that handled the connection, followed by the Monitor rule name. If the connection matched more than one Monitor rule, the event viewer displays how many Monitor rules it matched, for example,
Default Action + 2 Monitor Rules
.
To display a pop-up window with a list of the first eight Monitor rules matched by the connection, click
N
Monitor Rules
.
Action
The action associated with the access control rule or default action that logged the connection:
–
Allow
represents explicitly allowed and user-bypassed interactively blocked connections.
–
Trust
represents trusted connections. Note that the system logs TCP connections detected by a trust rule differently depending on the appliance.
On Series 2, virtual devices, and Cisco NGIPS for Blue Coat X-Series, TCP connections detected by a trust rule on the first packet only generate an end-of-connection event. The system generates the event one hour after the final session packet.
On Series 3 appliances, TCP connections detected by a trust rule on the first packet generate different events depending on the presence of a monitor rule. If the monitor rule is active, the system evaluates the packet and generates both a beginning and end-of-connection event. If no monitor rule is active, the system only generates an end-of-connection event.
–
Block
and
Block with reset
represent blocked connections. The system also associates the
Block
action with connections blacklisted by Security Intelligence, connections blocked by an SSL policy, connections where an exploit was detected by an intrusion policy, and connections where a file was blocked by a file policy.
–
Interactive Block
and
Interactive Block with reset
mark the beginning-of-connection event that you can log when the system initially blocks a user’s HTTP request using an Interactive Block rule. If the user clicks through the warning page that the system displays, any additional connection events you log for the session have an action of
Allow
.
–
Default Action
indicates the connection was handled by the default action.
– For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent rule or by the default action, the action associated with a connection logged due to a monitor rule is never
Monitor
.
Application Protocol
The application protocol, which represents communications between hosts, detected in the connection.
Application Risk
The risk associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated risk; this field displays the highest of those. For more information, see Table 45-2.
Business Relevance
The business relevance associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those. For more information, see Table 45-2.
Category, Tag (Application Protocol, Client, Web Application)
Criteria that characterize the application to help you understand the application's function. For more information, see Table 45-2.
Client and Client Version
The client application and version of that client detected in the connection.
If the system cannot identify the specific client used in the connection, this field displays
client
appended to the application protocol name to provide a generic name, for example,
FTP client
.
Connections
The number of connections in a connection summary. For long-running connections, that is, connections that span multiple connection summary intervals, only the first connection summary interval is incremented.
Count
The number of connections that match the information that appears in each row. Note that the
Count
field appears only after you apply a constraint that creates two or more identical rows.
Note If you create a custom workflow and do not add the Count column to a drill-down page, each connection is listed individually and packets and bytes are not summed.
Device
The managed device that detected the connection or, for connections exported by NetFlow-enabled devices, the managed device that processed the NetFlow data.
Files
The file events, if any, associated with the connection. Instead of a list of files, the Defense Center displays the view files icon (
) in this field. The number on the icon indicates the number of files (including malware files) detected or blocked in that connection.
Click the icon to display a pop-up window with a list of the files detected in the connection, as well as their types and if applicable, their malware lookup dispositions.
Note that neither the DC500 Defense Center nor Series 2 devices support network-based malware file detection.
For more information, see Viewing Files Detected in a Connection.
First Packet or Last Packet
The date and time the first or last packet of the session was seen.
HTTP Referrer
The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a website that provided a link to, or imported a link from, another URL).
Ingress Interface or Egress Interface
The ingress or egress interface associated with the connection. Note that, if your deployment includes an asynchronous routing configuration, the ingress and egress interface may belong to the same interface set.
Ingress Security Zone or Egress Security Zone
The ingress or egress security zone associated with the connection.
Initiator Bytes or Responder Bytes
The total number of bytes transmitted by the session initiator or the session responder.
Initiator Country or Responder Country
When a routable IP is detected, the country associated with the host IP address that initiated the session, or with the session responder. An icon of the country’s flag is displayed, as well as the country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the country’s full name.
Note that the DC500 Defense Center does not support this feature.
Initiator IP or Responder IP
The host IP address (and host name, if DNS resolution is enabled) that initiated, or responded to, the session responder. So that you can identify the blacklisted IP address in a blacklisted connection, host icons next to blacklisted IP addresses look slightly different.
Initiator Packets or Responder Packets
The total number of packets transmitted by the session initiator or the session responder.
Initiator User
The user logged into the session initiator.
Intrusion Events
The intrusion events, if any, associated with the connection. Instead of a list of events, the Defense Center displays the view intrusion events icon (
) in this field.
Click the icon to display a pop-up window with a list of intrusion events associated with the connection, as well as their priority and impact. For more information, see Viewing Intrusion Events Associated with a Connection.
IOC
Whether or not the event triggered an indication of compromise (IOC) against a host involved in the connection. For more information on IOC, see Understanding Indications of Compromise.
NetBIOS Domain
The NetBIOS domain used in the session.
NetFlow Destination/Source Autonomous System
For connections exported by NetFlow-enabled devices, the border gateway protocol autonomous system number for the source or destination of traffic in the connection.
NetFlow Destination/Source Prefix
For connections exported by NetFlow-enabled devices, the source or destination IP address ANDed with the source or destination prefix mask.
NetFlow Destination/Source TOS
For connections exported by NetFlow-enabled devices, the setting for the type-of-service (TOS) byte when connection traffic entered or exited the NetFlow-enabled device.
NetFlow SNMP Input/Output
For connections exported by NetFlow-enabled devices, the interface index for the interface where connection traffic entered or exited the NetFlow-enabled device.
Network Analysis Policy
The network analysis policy (NAP), if any, associated with the generation of the event.
Reason
The reason or reasons the connection was logged, in the following situations:
–
User Bypass
indicates that the system initially blocked a user’s HTTP request, but the user chose to continue to the originally requested site by clicking through a warning page. A reason of
User Bypass
is always paired with an action of
Allow
.
–
IP Block
indicates that the system denied the connection without inspection, based on Security Intelligence data. A reason of
IP Block
is always paired with an action of
Block
.
–
IP Monitor
indicates that the system would have denied the connection based on Security Intelligence data, but you configured the system to monitor, rather than deny, the connection.
–
File Monitor
indicates that the system detected a particular type of file in the connection.
–
File Block
indicates the connection contained a file or malware file that the system prevented from being transmitted. A reason of
File Block
is always paired with an action of
Block
.
–
File Custom Detection
indicates the connection contained a file on the custom detection list that the system prevented from being transmitted.
–
File Resume Allow
indicates that file transmission was originally blocked by a Block Files or Block Malware file rule. After a new access control policy was applied that allowed the file, the HTTP session automatically resumed. Note that this reason only appears in inline deployments.
–
File Resume Block
indicates that file transmission was originally allowed by a Detect Files or Malware Cloud Lookup file rule. After a new access control policy was applied that blocked the file, the HTTP session automatically stopped. Note that this reason only appears in inline deployments.
–
SSL Block
indicates the system blocked an encrypted connection based on the SSL inspection configuration. A reason of
SSL Block
is always paired with an action of
Block
.
–
Intrusion Block
indicates the system blocked or would have blocked an exploit (intrusion policy violation) detected in the connection. A reason of
Intrusion Block
is paired with an action of
Block
for blocked exploits and
Allow
for would-have-blocked exploits.
–
Intrusion Monitor
indicates the system detected, but did not block, an exploit detected in the connection. This occurs when the state of the triggered intrusion rule is set to
Generate Events
.
Referenced Host
If the protocol in the connection is DNS, HTTP, or HTTPS, this field displays the host name that the respective protocol was using.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the system only populates this field for ASA FirePOWER devices in multiple context mode.
Security Intelligence Category
The name of the blacklisted object that represents or contains the blacklisted IP address in the connection. The Security Intelligence category can be the name of a network object or group, the global blacklist, a custom Security Intelligence list or feed, or one of the categories in the Intelligence Feed. Note that this field is only populated if the
Reason
is
IP Block
or
IP Monitor
; entries in Security Intelligence event views always display a reason. For more information, see Blacklisting Using Security Intelligence IP Address Reputation.
Note also that neither the DC500 Defense Center nor Series 2 devices support this feature.
Source Device
The IP address of the NetFlow-enabled device that exported the data for the connection. If the connection was detected by a managed device, this field contains a value of
FireSIGHT
.
Source Port/ICMP Type or Destination Port/ICMP Code
The port, ICMP type, or ICMP code used by the session initiator or session responder.
SSL Status
The action associated with the SSL rule, default action, or undecryptable traffic action that logged the encrypted connection:
–
Block
and
Block with reset
represent blocked encrypted connections.
–
Decrypt (Resign)
represents an outgoing connection decrypted using a re-signed server certificate.
–
Decrypt (Replace Key)
represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
–
Decrypt (Known Key)
represents an incoming connection decrypted using a known private key.
–
Do not Decrypt
represents a connection the system did not decrypt.
If the system fails to decrypt an encrypted connection, it displays the undecryptable traffic action taken, as well as the failure reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection, this field displays
Do Not Decrypt (Unknown Cipher Suite)
.
Click the lock icon (
) to view certificate details. For more information, see Viewing the Certificate Associated with an Encrypted Connection.
SSL Certificate Status
If encrypted traffic matches an SSL rule, this field displays the server certificate statuses. If undecryptable traffic matches an SSL rule, this displays
Not Checked
. For more information, see Controlling Encrypted Traffic by Certificate Status.
SSL Flow Error
The error name and hexadecimal code if an error occurred during the SSL session;
Success
if no error occurred.
SSL Version
The SSL or TLS protocol version used to encrypt the connection.
SSL Cipher Suite
The cipher suite used to encrypt the connection.
SSL Policy
The SSL policy that handled the connection.
SSL Rule
The SSL rule or default action that handled the connection, as well as the first Monitor rule matched by that connection. If the connection matched a Monitor rule, the Defense Center displays the name of the rule that handled the connection, followed by the Monitor rule name.
SSL Session ID
The hexadecimal Session ID negotiated between the client and server during the SSL handshake.
SSL Ticket ID
A hexadecimal hash value of the session ticket information sent during the SSL handshake.
SSL Flow Flags
The first ten debugging level flags for an encrypted connection. To view all flags, click the ellipsis (
...
).
SSL Flow Messages
The messages exchanged between client and server during the SSL handshake. See
http://tools.ietf.org/html/rfc5246
for more information.
TCP Flags
The TCP flags detected in the connection.
Time
The ending time of the five-minute interval that the system used to aggregate connections in a connection summary.
URL, URL Category, and URL Reputation
The URL requested by the monitored host during the session and its associated category and reputation, if available.
If the system identifies or blocks an SSL application, the requested URL is in encrypted traffic, so the system identifies the traffic based on an SSL certificate. For SSL applications, therefore, this field indicates the common name contained in the certificate.
Note that neither the DC500 Defense Center nor Series 2 devices support URL category or reputation data.
User Agent
User agent application information extracted from HTTP traffic detected in the connection.
Web Application
The web application, which represents the content or requested URL for HTTP traffic detected in the connection.
If the web application does not match the URL for the event, the traffic is probably referred traffic, such as advertisement traffic. If the system detects referred traffic, it stores the referring application (if available) and lists that application as the web application.
If the system cannot identify the specific web application in HTTP traffic, this field displays
Web Browsing
.
Information Available in Connection and Security Intelligence Events
License:
feature dependent
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The information available for any individual connection, connection summary, or Security Intelligence event depends on several factors.
Appliance Model and License
You can log any connection that your access control and SSL policies can successfully handle. However, many features require that you enable specific licensed capabilities on target devices, and many features are only available on some models.
For example, SSL inspection requires a Series 3 device. Other appliance models cannot inspect encrypted traffic; logged connection events do not contain information about encrypted connections. As another example, you cannot view geolocation data in connection events using a DC500. For more information, see License and Model Requirements for Connection Logging.
Traffic Characteristics
The system only reports information present (and detectable) in network traffic. For example, there could be no user associated with an initiator host, or no referenced host detected in a connection where the protocol is not DNS, HTTP, or HTTPS.
Detection Method: FireSIGHT System vs NetFlow
With the exception of TCP flags and NetFlow autonomous system, prefix, and TOS data, the information available in NetFlow records is more limited than the information generated by monitoring network traffic using managed devices. For more information, see Differences Between NetFlow and FireSIGHT Data.
Logging Method: Beginning or End of Connection
When the system detects a connection, whether you can log it at its beginning or its end (or both).depends on how you configure the system to detect and handle it; see Logging the Beginning or End of Connections.
Beginning-of-connection events do not have information that must be determined by examining traffic over the duration of the session (for example, the total amount of data transmitted or the timestamp of the last packet in the connection). Beginning-of-connection events are also not guaranteed to have information about application or URL traffic in the session, and do not contain any details about the session’s encryption.
Inspection Method: Associated SSL, File, and Intrusion Policies
Only encrypted connections handled by an SSL policy have SSL-related information in the connection log. Only connections logged by access control rules with associated file policies contain file information. Similarly, you must associate intrusion policies with either access control rules or the default action to view intrusion information in the connection log.
Connection Event Type: Individual vs Summary
Connection summaries do not contain all of the information associated with their aggregated connections. For example, because client information is not used to aggregate connections into connection summaries, summaries do not contain client information.
Keep in mind that connection graphs are based on connection summary data, which use only end-of-connection logs. If you logged only beginning-of-connection data, connection graphs and connection summary event views contain no data.
Other Configurations
An advanced setting in the access control policy controls the number of characters the system stores in the connection log for each URL requested by monitored hosts in HTTP sessions. If you use this setting to disable URL logging, the system does not display individual URLs in the connection log, although you can still view category and reputation data, if it exists.
Also, not all connection events have a
Reason
, which is a field populated only in specific situations, such as when a user bypasses an Interactive Block configuration; see Reason.
The following table lists each connection event/Security Intelligence event field and whether the system displays information in that field, depending on the detection method, logging method, and connection event type. Note that, because Security Intelligence events are never aggregated, the Summary column refers only to connection event summaries.
Tip In the table views of both connection events and Security Intelligence events, several fields are hidden by default, including the Category and Tag fields for each type of application, NetFlow-related fields, SSL-related fields, and others. To show a hidden field in an event view, expand the search constraints, then click the field name under Disabled Columns.
Table 39-1 Connection and Security Intelligence Data Based on Logging and Detection Methods
|
|
|
|
|
|
|
|
|
|
Time
|
yes
|
yes
|
no
|
yes
|
no
|
yes
|
First Packet
|
yes
|
yes
|
yes
|
yes
|
yes
|
no
|
Last Packet
|
yes
|
yes
|
no
|
yes
|
yes
|
no
|
Action
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Reason
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Initiator IP
|
yes
|
yes
|
yes
|
yes
|
yes
|
yes
|
Initiator Country
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
Initiator User
|
yes
|
yes
|
yes
|
yes
|
yes
|
yes
|
Responder IP
|
yes
|
yes
|
yes
|
yes
|
yes
|
yes
|
Responder Country
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
Security Intelligence Category
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Ingress Security Zone
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
Egress Security Zone
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
Source Port/ICMP Code
|
yes
|
yes
|
yes
|
yes
|
yes
|
no
|
Destination Port/ICMP Type
|
yes
|
yes
|
yes
|
yes
|
yes
|
yes
|
SSL Status
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Certificate Status
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Version
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Policy
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Rule
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Cipher Suite
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Flow Flags
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
SSL Flow Messages
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
Application Protocol
|
yes
|
yes
|
if available
|
yes
|
yes
|
yes
|
Client
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
Client Version
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
Web Application
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
Category, Tag (Application Protocol, Client, Web Application)
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
Application Risk
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
Business Relevance
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
URL
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
URL Category
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
URL Reputation
|
yes
|
no
|
if available
|
yes
|
yes
|
no
|
VLAN ID
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Referenced Host
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
User Agent
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
HTTP Referrer
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
IOC
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Intrusion Events
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
Files
|
yes
|
no
|
no
|
yes
|
yes
|
no
|
Intrusion Policy
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Access Control Policy
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Access Control Rule
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Network Analysis Policy
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Device
|
yes
|
yes
|
yes
|
yes
|
yes
|
yes
|
Ingress Interface
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
Egress Interface
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
Security Context (ASA only)
|
yes
|
no
|
yes
|
yes
|
yes
|
yes
|
TCP Flags
|
no
|
yes
|
no
|
yes
|
yes
|
no
|
NetFlow Destination/Source Autonomous System
|
no
|
yes
|
no
|
yes
|
yes
|
no
|
NetFlow Destination/Source Prefix
|
no
|
yes
|
no
|
yes
|
yes
|
no
|
NetFlow Destination/Source TOS
|
no
|
yes
|
no
|
yes
|
yes
|
no
|
NetFlow SNMP Input/Output
|
no
|
yes
|
no
|
yes
|
yes
|
no
|
Source Device
|
yes
|
yes
|
FireSIGHT
|
yes
|
yes
|
yes
|
NetBIOS Domain
|
yes
|
no
|
yes
|
yes
|
yes
|
no
|
Initiator Packets
|
yes
|
yes
|
not useful
|
yes
|
yes
|
yes
|
Responder Packets
|
yes
|
yes
|
not useful
|
yes
|
yes
|
yes
|
Initiator Bytes
|
yes
|
yes
|
not useful
|
yes
|
yes
|
yes
|
Responder Bytes
|
yes
|
yes
|
not useful
|
yes
|
yes
|
yes
|
Connections
|
yes
|
yes
|
no
|
yes
|
no
|
yes
|
Count
|
yes
|
yes
|
yes
|
yes
|
yes
|
no
|