- Introduction to the Cisco ASA FirePOWER Module
- Managing Device Configuration
- Managing Reusable Objects
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Access Control Rules: Realms and Users
- Access Control Rules: Custom Security Group Tags
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Access Control Using Content Restriction
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Viewing Events
You can view real-time events logged against the traffic inspected by the ASA FirePOWER module.
Note The module only caches the most recent 100 events in memory.
Accessing ASA FirePOWER Real-Time Events
You can view events detected by the ASA FirePOWER module in several predefined event views or create a custom event view to view the event fields you select.
Note The module only caches the most recent 100 events in memory.
Step 1 Select Monitoring > ASA FirePOWER Monitoring > Real-time Eventing .
For more information, see Understanding ASA FirePOWER Event Types and Event Fields in ASA FirePOWER Events.
Understanding ASA FirePOWER Event Types
The ASA FirePOWER module provides real-time event viewing of event fields from five event types: connection events, security intelligence events, intrusion events, file events, and malware events.
Connection logs, called connection events , contain data about the detected sessions. The information available for any individual connection event depends on several factors, but in general includes:
- basic connection properties: timestamp, source and destination IP address, ingress and egress zones, the device that handled the connection, and so on
- additional connection properties discovered or inferred by the system: applications, requested URLs, or users associated with the connection, and so on
- metadata about why the connection was logged: which access control rule (or other configuration) in which policy handled the traffic, whether the connection was allowed or blocked, and so on
Various settings in access control give you granular control over which connections you log, when you log them, and where you store the data. You can log any connection that your access control policies can successfully handle. You can enable connection logging in the following situations:
- when a connection is blacklisted (blocked) or monitored by the reputation-based Security Intelligence feature
- when a connection is handled by an access control rule or the access control default action
In addition to the logging that you configure, the system automatically logs most connections where the system detects a prohibited file, malware, or intrusion attempt.
When you enable Security Intelligence logging, blacklist matches automatically generate Security Intelligence events as well as connection events. A Security Intelligence event is a special kind of connection event that you can view and analyze separately. For detailed information on configuring connection logging, including Security Intelligence blacklisting decisions, see Logging Connections in Network Traffic.
Tip General information about connection events also pertains to Security Intelligence events, unless otherwise noted. For more information on Security Intelligence, see Blacklisting Using Security Intelligence IP Address Reputation.
The system examines the packets that traverse your network for malicious activity that could affect the availability, integrity, and confidentiality of a host and its data. When the system identifies a possible intrusion, it generates an intrusion event , which is a record of the date, time, type of exploit, and contextual information about the source of the attack and its target.
File events represent files that the system detected, and optionally blocked, in network traffic.
The system logs the file events generated when a managed device detects or blocks a file in network traffic, according to the rules in currently applied file policies.
Malware events represent malware files detected, and optionally blocked, in network traffic by the system.
With a Malware license, your ASA FirePOWER module can detect malware in network traffic as part of your overall access control configuration; see Understanding and Creating File Policies.
The following scenarios can lead to generating malware events:
-
If a managed device detects one of a set of specific file types, the ASA FirePOWER module performs a malware cloud lookup, which returns a file disposition to the ASA FirePOWER module of
Malware
,Clean
, orUnknown
. -
If the ASA FirePOWER module cannot establish a connection with the cloud, or the cloud is otherwise unavailable, the file disposition is
Unavailable
. You may see a small percentage of events with this disposition; this is expected behavior. -
If the managed device detects a file on the clean list, the ASA FirePOWER module assigns a file disposition of
Clean
to the file.
The ASA FirePOWER module logs records of files’ detection and dispositions, along with other contextual data, as malware events.
Files detected in network traffic and identified as malware by the ASA FirePOWER module generate both a file event and a malware event. This is because to detect malware in a file, the system must first detect the file itself.
Event Fields in ASA FirePOWER Events
For connection or security intelligence events, the action associated with the access control rule or default action that logged the connection:
–
Allow
represents explicitly allowed and user-bypassed interactively blocked connections.
–
Trust
represents trusted connections. TCP connections detected by a trust rule on the first packet only generate an end-of-connection event. The system generates the event one hour after the final session packet.
–
Block
and
Block with reset
represent blocked connections. The system also associates the
Block
action with connections blacklisted by Security Intelligence, connections where an exploit was detected by an intrusion policy, and connections where a file was blocked by a file policy.
–
Interactive Block
and
Interactive Block with reset
mark the beginning-of-connection event that you can log when the system initially blocks a user’s HTTP request using an Interactive Block rule. If the user clicks through the warning page that the system displays, any additional connection events you log for the session have an action of
Allow
.
–
Default Action
indicates the connection was handled by the default action.
– For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent rule or by the default action, the action associated with a connection logged due to a monitor rule is never
Monitor
.
For file or malware events, the file rule action associated with the rule action for the rule the file matched, and any associated file rule action options.
Whether the system allowed the traffic flow for the event.
The application detected in the connection.
Application Business Relevance
The business relevance associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.
Categories that characterize the application to help you understand the application's function.
The risk associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated risk; this field displays the highest of those.
Tags that characterize the application to help you understand the application's function.
The type of block specified in the access control rule matching the traffic flow in the event: block or interactive block.
The client application detected in the connection.
If the system cannot identify the specific client used in the connection, this field displays
client
appended to the application protocol name to provide a generic name, for example,
FTP client
.
The business relevance associated with the client traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of client detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.
Categories that characterize the client detected in the traffic to help you understand the client’s function.
The risk associated with the client traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of client detected in the connection has an associated risk; this field displays the highest of those.
Tags that characterize the client detected in the traffic to help you understand the client’s function.
The version of the client detected in the connection.
The unique ID for the traffic flow, internally generated.
Connection Blocktype Indicator
The type of block specified in the access control rule matching the traffic flow in the event: block or interactive block.
The total bytes for the connection.
The time for the beginning of the connection.
The time the connection was detected.
The metadata identifying the security context through which the traffic passed. Note that the system only populates this field for devices in multiple context mode.
Whether the system denied the traffic flow for the event.
Destination Country and Continent
The country and continent of the receiving host.
The IP address used by the receiving host.
Destination Port, Destination Port Icode, Destination Port/ICMP Code
The destination port or ICMP code used by the session responder.
The direction of transmission for a file.
One of the following file dispositions:
–
Malware
indicates that the cloud categorized the file as malware.
–
Clean
indicates that the cloud categorized the file as clean, or that a user added the file to the clean list.
–
Unknown
indicates that a malware cloud lookup occurred before the cloud assigned a disposition. The file is uncategorized.
–
Custom Detection
indicates that a user added the file to the custom detection list.
–
Unavailable
indicates that the ASA FirePOWER module could not perform a malware cloud lookup. You may see a small percentage of events with this disposition; this is expected behavior.
–
N/A
indicates a Detect Files or Block Files rule handled the file and the ASA FirePOWER module did not perform a malware cloud lookup.
The egress interface associated with the connection. Note that, if your deployment includes an asynchronous routing configuration, the ingress and egress interface may belong to the same interface set.
The egress security zone associated with the connection.
The time, in microseconds, when the event was detected.
The time, in seconds, when the event was detected.
The general categories of file type, for example:
Office Documents
,
Archive
,
Multimedia
,
Executables
,
PDF files
,
Encoded
,
Graphics
, or
System Files
.
The time and date the file or malware file was created.
The name of the file or malware file.
The SHA-256 hash value of the file.
The size of the file or malware file, in kilobytes.
The file type of the file or malware file, for example,
HTML
or
MSEXE
.
The file policy associated with the generation of the event.
The type of block specified in the file rule matching the traffic flow in the event: block or interactive block.
Firewall Policy Rules/SI Category
The name of the blacklisted object that represents or contains the blacklisted IP address in the connection. The Security Intelligence category can be the name of a network object or group, the global blacklist, a custom Security Intelligence list or feed, or one of the categories in the Intelligence Feed. Note that this field is only populated if the
Reason
is
IP Block
or
IP Monitor
; entries in Security Intelligence event views always display a reason.
The access control rule or default action that handled the connection, as well as up to eight Monitor rules matched by that connection.
The date and time the first packet of the session was seen.
The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a website that provided a link to, or imported a link from, another URL).
The classification where the rule that generated the event belongs. See the Rule Classifications table for a list of rule classification names and numbers.
The impact level in this field indicates the correlation between intrusion data, network discovery data, and vulnerability information.
The ingress interface associated with the connection. Note that, if your deployment includes an asynchronous routing configuration, the ingress and egress interface may belong to the same interface set.
The ingress security zone associated with the connection.
The total number of bytes transmitted by the session initiator.
Initiator Country and Continent
When a routable IP is detected, the country and continent associated with the host IP address that initiated the session.
The host IP address (and host name, if DNS resolution is enabled) that initiated the session responder.
The total number of packets transmitted by the session initiator.
– a black down arrow, indicating that the system dropped the packet that triggered the rule
– a gray down arrow, indicating that IPS would have dropped the packet if you enabled the Drop when Inline intrusion policy option (in an inline deployment), or if a Drop and Generate rule generated the event while the system was pruning
– blank, indicating that the triggered rule was not set to Drop and Generate Events
– Note that the system does not drop packets in a passive deployment, including when an inline interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy.
The action of the intrusion rule matching the traffic flow in the event.
The date and time the last packet of the session was seen.
The Multiprotocol Label Switching label associated with the packet that triggered this intrusion event.
The type of block specified in the file rule matching the traffic flow in the event: block or interactive block.
The explanatory text for the event.
For rule-based intrusion events, the event message is pulled from the rule. For decoder- and preprocessor-based events, the event message is hard coded.
For malware events, any additional information associated with the malware event. For network-based malware events, this field is populated only for files whose disposition has changed.
Up to eight Monitor rules matched by that connection.
The NetBIOS domain used in the session.
Original Client Country and Continent
The country where the original client IP address belongs. To obtain this value, the system extracts the original client IP address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header, then maps it to the country using the geolocation database (GeoDB). To populate this field, you must enable an access control rule that handles proxied traffic based on its original client.
The original client IP address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header. To populate this field, you must enable an access control rule that handles proxied traffic based on its original client.
The access control, intrusion, or network analysis policy (NAP), if any, associated with the generation of the event.
The revision of the access control, file, intrusion, or network analysis policy (NAP), if any, associated with the generation of the event.
The event priority as determined by the Cisco VRT.
The protocol detected in the connection.
The reason or reasons the connection was logged, in the following situations:
–
User Bypass
indicates that the system initially blocked a user’s HTTP request, but the user chose to continue to the originally requested site by clicking through a warning page. A reason of
User Bypass
is always paired with an action of
Allow
.
–
IP Block
indicates that the system denied the connection without inspection, based on Security Intelligence data. A reason of
IP Block
is always paired with an action of
Block
.
–
IP Monitor
indicates that the system would have denied the connection based on Security Intelligence data, but you configured the system to monitor, rather than deny, the connection.
–
File Monitor
indicates that the system detected a particular type of file in the connection.
–
File Block
indicates the connection contained a file or malware file that the system prevented from being transmitted. A reason of
File Block
is always paired with an action of
Block
.
–
File Custom Detection
indicates the connection contained a file on the custom detection list that the system prevented from being transmitted.
–
File Resume Allow
indicates that file transmission was originally blocked by a Block Files or Block Malware file rule. After a new access control policy was applied that allowed the file, the HTTP session automatically resumed. Note that this reason only appears in inline deployments.
–
File Resume Block
indicates that file transmission was originally allowed by a Detect Files or Malware Cloud Lookup file rule. After a new access control policy was applied that blocked the file, the HTTP session automatically stopped. Note that this reason only appears in inline deployments.
–
Intrusion Block
indicates the system blocked or would have blocked an exploit (intrusion policy violation) detected in the connection. A reason of
Intrusion Block
is paired with an action of
Block
for blocked exploits and
Allow
for would-have-blocked exploits.
–
Intrusion Monitor
indicates the system detected, but did not block, an exploit detected in the connection. This occurs when the state of the triggered intrusion rule is set to
Generate Events
.
–
Content Restriction
indicates the system modified the packet to enforce content restrictions related to either the Safe Search or YouTube EDU feature.
The time the destination host or responder responded to the event.
If the protocol in the connection is DNS, HTTP, or HTTPS, this field displays the host name that the respective protocol was using.
The total number of bytes transmitted by the session responder.
Responder Country and Continent
When a routable IP is detected, the country and continent associated with the host IP address for the session responder.
The total number of packets transmitted by the session responder.
The host IP address (and host name, if DNS resolution is enabled) that responded to the session initiator.
The Security Group Tag (SGT) attribute of the packet involved in the connection. The SGT specifies the privileges of a traffic source within a trusted network. Security Group Access (a feature of both Cisco TrustSec and Cisco ISE) applies the attribute as packets enter the network.
The signature ID of the intrusion rule matching the traffic for the event.
The country and continent of the sending host.
The IP address used by the sending host in an intrusion event.
The host originating or receiving the connection for the event.
Source Port, Source Port Type, Source Port/ICMP Type
The source port or ICMP type used by the session initiator.
The TCP flags detected in the connection.
The URL requested by the monitored host during the session.
The category associated with the URL requested by the monitored host during the session, if available.
The reputation associated with the URL requested by the monitored host during the session, if available.
The reputation score associated with the URL requested by the monitored host during the session, if available.
The user of the host ( Receiving IP ) where the event occurred.
User agent application information extracted from HTTP traffic detected in the connection.
The innermost VLAN ID associated with the packet that triggered the event.
The business relevance associated with the web application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of web application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.
Categories that characterize the web application detected in the traffic to help you understand the web application's function.
The risk associated with the web application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of web application detected in the connection has an associated risk; this field displays the highest of those.
Tags that characterize the web application detected in the traffic to help you understand the web application's function.