Action
For connection or security intelligence events, the action associated with the access control rule or default action that
logged the connection:
-
Allow represents explicitly allowed and user-bypassed interactively blocked connections.
-
Trust represents trusted connections. TCP connections detected by a trust rule on the first packet only generate an end-of-connection
event. The system generates the event one hour after the final session packet.
-
Block and Block with reset represent blocked connections. The system also associates the Block action with connections blocked
by Security Intelligence, connections where an exploit was detected by an intrusion policy, and connections where a file was
blocked by a file policy.
-
Interactive Block and Interactive Block with reset mark the beginning-of-connection event that you can log when the system
initially blocks a user’s HTTP request using an Interactive Block rule. If the user clicks through the warning page that the
system displays, any additional connection events you log for the session have an action of Allow .
-
Default Action indicates the connection was handled by the default action.
-
For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered
by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent
rule or by the default action, the action associated with a connection logged due to a monitor rule is never Monitor .
For file or malware events, the file rule action associated with the rule action for the rule the file matched, and any associated
file rule action options.
Allowed Connection
Whether the system allowed the traffic flow for the event.
Application
The application detected in the connection.
Application Business Relevance
The business relevance associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated business relevance; this field displays the lowest
(least relevant) of those.
Application Categories
Categories that characterize the application to help you understand the application's function.
Application Risk
The risk associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has an associated risk; this field displays the highest of those.
Application Tag
Tags that characterize the application to help you understand the application's function.
Block Type
The type of block specified in the access control rule matching the traffic flow in the event: block or interactive block.
Client
The client application detected in the connection.
If the system cannot identify the specific client used in the connection, this field displays
client
appended to the application protocol name to provide a generic name, for example,
FTP client
.
Client Business Relevance
The business relevance associated with the client traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of client detected in the connection has an associated business relevance; this field displays the lowest (least
relevant) of those.
Client Categories
Categories that characterize the client detected in the traffic to help you understand the client’s function.
Client Risk
The risk associated with the client traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of client detected in the connection has an associated risk; this field displays the highest of those.
Client Tag
Tags that characterize the client detected in the traffic to help you understand the client’s function.
Client Version
The version of the client detected in the connection.
Connection
The unique ID for the traffic flow, internally generated.
Connection Blocktype Indicator
The type of block specified in the access control rule matching the traffic flow in the event: block or interactive block.
Connection Bytes
The total bytes for the connection.
Connection Time
The time for the beginning of the connection.
Connection Timestamp
The time the connection was detected.
Context
The metadata identifying the security context through which the traffic passed. Note that the system only populates this field
for devices in multiple context mode.
Denied Connection
Whether the system denied the traffic flow for the event.
Destination Country and Continent
The country and continent of the receiving host.
Destination IP
The IP address used by the receiving host.
Destination Port, Destination Port Icode, Destination Port/ICMP Code
The destination port or ICMP code used by the session responder.
Direction
The direction of transmission for a file.
Disposition
One of the following file dispositions:
-
Malware indicates that the cloud categorized the file as malware.
-
Clean indicates that the cloud categorized the file as clean, or that a user added the file to the clean list.
-
Unknown indicates that a malware cloud lookup occurred before the cloud assigned a disposition. The file is uncategorized.
-
Custom Detection indicates that a user added the file to the custom detection list.
-
Unavailable indicates that the ASA FirePOWER module could not perform a malware cloud lookup. You may see a small percentage
of events with this disposition; this is expected behavior.
-
N/A indicates a Detect Files or Block Files rule handled the file and the ASA FirePOWER module did not perform a malware cloud
lookup.
Egress Interface
The egress interface associated with the connection. Note that, if your deployment includes an asynchronous routing configuration,
the ingress and egress interface may belong to the same interface set.
Egress Security Zone
The egress security zone associated with the connection.
Event Microseconds
The time, in microseconds, when the event was detected.
Event Seconds
The time, in seconds, when the event was detected.
Event Type
The type of event.
File Category
The general categories of file type, for example:
Office Documents
,
Archive
,
Multimedia
,
Executables
,
PDF files
,
Encoded
,
Graphics
, or
System Files
.
File Event Timestamp
The time and date the file or malware file was created.
File Name
The name of the file or malware file.
File SHA256
The SHA-256 hash value of the file.
File Size
The size of the file or malware file, in kilobytes.
File Type
The file type of the file or malware file, for example,
HTML
or
MSEXE
.
File/Malware Policy
The file policy associated with the generation of the event.
Filelog Blocktype Indicator
The type of block specified in the file rule matching the traffic flow in the event: block or interactive block.
Firewall Policy Rules/SI Category
The name of the object that represents or contains the blocked IP address in the connection. The Security Intelligence category
can be the name of a network object or group, the global Block list, a custom Security Intelligence list or feed, or one of the categories in the Intelligence Feed. Note that this field is
only populated if the Reason is IP Block or IP Monitor ; entries in Security Intelligence event views always display a reason.
Firewall Rule
The access control rule or default action that handled the connection, as well as up to eight Monitor rules matched by that
connection.
First Packet
The date and time the first packet of the session was seen.
HTTP Referrer
The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a
website that provided a link to, or imported a link from, another URL).
IDS Classification
The classification where the rule that generated the event belongs. See the Table 1 table for a list of rule classification names and numbers.
Impact
The impact level in this field indicates the correlation between intrusion data, network discovery data, and vulnerability
information.
Ingress Interface
The ingress interface associated with the connection. Note that, if your deployment includes an asynchronous routing configuration,
the ingress and egress interface may belong to the same interface set.
Ingress Security Zone
The ingress security zone associated with the connection.
Initiator Bytes
The total number of bytes transmitted by the session initiator.
Initiator Country and Continent
When a routable IP is detected, the country and continent associated with the host IP address that initiated the session.
Initiator IP
The host IP address (and host name, if DNS resolution is enabled) that initiated the session responder.
Initiator Packets
The total number of packets transmitted by the session initiator.
Inline Result
One of the following:
-
a black down arrow, indicating that the system dropped the packet that triggered the rule
-
a gray down arrow, indicating that IPS would have dropped the packet if you enabled the Drop when Inline intrusion policy option (in an inline deployment), or if a Drop and Generate rule generated the event while the system was
pruning
-
blank, indicating that the triggered rule was not set to Drop and Generate Events
-
Note that the system does not drop packets in a passive deployment, including when an inline interface is in tap mode, regardless
of the rule state or the inline drop behavior of the intrusion policy.
IPS Blocktype Indicator
The action of the intrusion rule matching the traffic flow in the event.
Last Packet
The date and time the last packet of the session was seen.
MPLS Label
The Multiprotocol Label Switching label associated with the packet that triggered this intrusion event.
Malware Blocktype Indicator
The type of block specified in the file rule matching the traffic flow in the event: block or interactive block.
Message
The explanatory text for the event.
For rule-based intrusion events, the event message is pulled from the rule. For decoder- and preprocessor-based events, the
event message is hard coded.
For malware events, any additional information associated with the malware event. For network-based malware events, this field
is populated only for files whose disposition has changed.
Monitor Rules
Up to eight Monitor rules matched by that connection.
Netbios Domain
The NetBIOS domain used in the session.
Num Ioc
Whether the traffic that triggered the intrusion event also triggered an indication of compromise (IOC) for a host involved
in the connection.
Original Client Country and Continent
The country where the original client IP address belongs. To obtain this value, the system extracts the original client IP
address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header, then maps it to the country using the
geolocation database (GeoDB). To populate this field, you must enable an access control rule that handles proxied traffic
based on its original client.
Original Client IP
The original client IP address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header. To populate this
field, you must enable an access control rule that handles proxied traffic based on its original client.
Policy
The access control, intrusion, or network analysis policy (NAP), if any, associated with the generation of the event.
Policy Revision
The revision of the access control, file, intrusion, or network analysis policy (NAP), if any, associated with the generation
of the event.
Priority
The event priority as determined by the Cisco VRT.
Protocol
The protocol detected in the connection.
Reason
The reason or reasons the connection was logged, in the following situations:
-
User Bypass indicates that the system initially blocked a user’s HTTP request, but the user chose to continue to the originally
requested site by clicking through a warning page. A reason of User Bypass is always paired with an action of Allow .
-
IP Block indicates that the system denied the connection without inspection, based on Security Intelligence data. A reason
of IP Block is always paired with an action of Block .
-
IP Monitor indicates that the system would have denied the connection based on Security Intelligence data, but you configured
the system to monitor, rather than deny, the connection.
-
File Monitor indicates that the system detected a particular type of file in the connection.
-
File Block indicates the connection contained a file or malware file that the system prevented from being transmitted. A reason
of File Block is always paired with an action of Block .
-
File Custom Detection indicates the connection contained a file on the custom detection list that the system prevented from
being transmitted.
-
File Resume Allow indicates that file transmission was originally blocked by a Block Files or Block Malware file rule. After
a new access control policy was applied that allowed the file, the HTTP session automatically resumed. Note that this reason
only appears in inline deployments.
-
File Resume Block indicates that file transmission was originally allowed by a Detect Files or Malware Cloud Lookup file rule.
After a new access control policy was applied that blocked the file, the HTTP session automatically stopped. Note that this
reason only appears in inline deployments.
-
Intrusion Block indicates the system blocked or would have blocked an exploit (intrusion policy violation) detected in the
connection. A reason of Intrusion Block is paired with an action of Block for blocked exploits and Allow for would-have-blocked
exploits.
-
Intrusion Monitor indicates the system detected, but did not block, an exploit detected in the connection. This occurs when
the state of the triggered intrusion rule is set to Generate Events.
-
Content Restriction indicates the system modified the packet to enforce content restrictions related to either the Safe Search
or YouTube EDU feature.
Receive Times
The time the destination host or responder responded to the event.
Referenced Host
If the protocol in the connection is DNS, HTTP, or HTTPS, this field displays the host name that the respective protocol was
using.
Responder Bytes
The total number of bytes transmitted by the session responder.
Responder Country and Continent
When a routable IP is detected, the country and continent associated with the host IP address for the session responder.
Responder Packets
The total number of packets transmitted by the session responder.
Responder IP
The host IP address (and host name, if DNS resolution is enabled) that responded to the session initiator.
Security Group Tag Name
The Security Group Tag (SGT) attribute of the packet involved in the connection. The SGT specifies the privileges of a traffic
source within a trusted network. Security Group Access (a feature of both Cisco TrustSec and Cisco ISE) applies the attribute
as packets enter the network.
Signature
The signature ID of the intrusion rule matching the traffic for the event.
Source Country and Continent
The country and continent of the sending host.
Source IP
The IP address used by the sending host in an intrusion event.
Source or Destination
The host originating or receiving the connection for the event.
Source Port, Source Port Type, Source Port/ICMP Type
The source port or ICMP type used by the session initiator.
TCP Flags
The TCP flags detected in the connection.
URL
The URL requested by the monitored host during the session.
URL Category
The category associated with the URL requested by the monitored host during the session, if available.
URL Reputation
The reputation associated with the URL requested by the monitored host during the session, if available.
URL Reputation Score
The reputation score associated with the URL requested by the monitored host during the session, if available.
User
The user of the host (Receiving IP) where the event occurred.
User Agent
User agent application information extracted from HTTP traffic detected in the connection.
VLAN
The innermost VLAN ID associated with the packet that triggered the event.
Web App Business Relevance
The business relevance associated with the web application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of web application detected in the connection has an associated business relevance; this field displays the lowest
(least relevant) of those.
Web App Categories
Categories that characterize the web application detected in the traffic to help you understand the web application's function.
Web App Risk
The risk associated with the web application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of web application detected in the connection has an associated risk; this field displays the highest of those.
Web App Tag
Tags that characterize the web application detected in the traffic to help you understand the web application's function.
Web Application
The web application detected in the traffic.