The system examines the packets that traverse your network for
malicious activity that could affect the availability, integrity, and
confidentiality of a host and its data. When the system identifies a possible
intrusion, it generates an
intrusion event, which is a record of the date, time, the
type of exploit, and contextual information about the source of the attack and
its target. For packet-based events, a copy of the packet or packets that
triggered the event is also recorded.
When searching this data keep in mind that your results depend
on the available data in the events you are searching. In other words,
depending on the available data, your search constraints may not apply. For
example, only intrusion events triggered on decrypted traffic contain SSL
information.
The list below describes the intrusion event information that
can be viewed and searched by the system.
Note |
Note that some fields in the table view of intrusion events are
disabled by default. To enable a field for the duration of your session, click
the expand arrow ()
to expand the search constraints, then click the column name under
Disabled
Columns.
|
Access Control
Policy
The access control policy associated with the intrusion policy
where the intrusion, preprocessor, or decoder rule that generated the event is
enabled.
Access Control
Rule
The access control rule that invoked the intrusion policy that
generated the event.
Default Action indicates that the intrusion policy
where the rule is enabled is not associated with a specific access control rule
but, instead, is configured as the default action of the access control policy.
This field is blank if intrusion inspection was associated with
neither an access control rule nor the default action, for example, if the
packet was examined by the default intrusion policy.
Application
Protocol
The application protocol, if available, which represents
communications between hosts detected in the traffic that triggered the
intrusion event.
Application
Protocol Category and Tag
Criteria that characterize the application to help you
understand the application's function.
Application
Risk
The risk associated with detected applications in the traffic
that triggered the intrusion event: Very High, High, Medium, Low, and Very Low.
Each type of application detected in a connection has an associated risk; this
field displays the highest risk of those.
Business
Relevance
The business relevance associated with detected applications in
the traffic that triggered the intrusion event: Very High, High, Medium, Low,
and Very Low. Each type of application detected in a connection has an
associated business relevance; this field displays the lowest (least relevant)
of those.
Classification
The classification where the rule that generated the event
belongs.
When searching this field, enter the classification number, or
all or part of the classification name or description for the rule that
generated the events you want to view. You can also enter a comma-separated
list of numbers, names, or descriptions. Finally, if you add a custom
classification, you can also search using all or part of its name or
description.
Client
The client application, if available, which represents software
running on the monitored host detected in the traffic that triggered the
intrusion event.
Client Category
and Tag
Criteria that characterize the application to help you
understand the application's function.
Count
The number of events that match the information that appears in
each row. Note that the Count field appears only after you apply a constraint
that creates two or more identical rows. This field is not searchable.
Destination
Continent
The continent of the receiving host involved in the intrusion
event.
Destination
Country
The country of the receiving host involved in the intrusion
event.
Destination
IP
The IP address used by the receiving host involved in the
intrusion event.
Destination Port
/ ICMP Code
The port number for the host receiving the traffic. For ICMP
traffic, where there is no port number, this field displays the ICMP code.
Destination
User
The User ID for any known user logged in to the destination
host.
Device
The managed device where the access control policy was deployed.
Note that the primary and secondary devices in a stacked
configuration report intrusion events as if they were separate devices.
Domain
The domain of the
device that detected the intrusion.
This field is only present
if you have ever configured the
Firepower Management
Center
for multitenancy.
Egress
Interface
The egress interface of the packet that triggered the event.
This interface column is not populated for a passive interface.
Egress Security
Zone
The egress security zone of the packet that triggered the event.
This security zone field is not populated in a passive deployment.
Email
Attachments
The MIME attachment file name that was extracted from the MIME
Content-Disposition header. To display attachment file names, you must enable
the SMTP preprocessor
Log MIME Attachment Names option. Multiple
attachment file names are supported.
Email Headers
(search only)
The data that was extracted from the email header.
To associate email headers with intrusion events for SMTP
traffic, you must enable the SMTP preprocessor
Log Headers option.
Email
Recipient
The address of the email recipient that was extracted from the
SMTP RCPT TO command. To display a value for this field, you must enable the
SMTP preprocessor
Log To Addresses option. Multiple recipient
addresses are supported.
Email
Sender
The address of the email sender that was extracted from the SMTP
MAIL FROM command. To display a value for this field, you must enable the SMTP
preprocessor
Log From Address option. Multiple sender addresses
are supported.
Generator
The component that generated the event.
HTTP
Hostname
The host name, if present, that was extracted from the HTTP
request Host header. Note that request packets do not always include the host
name.
To associate host names with intrusion events for HTTP client
traffic, you must enable the HTTP Inspect preprocessor
Log Hostname option.
In table views, this column displays the first fifty characters
of the extracted host name. You can hover your pointer over the displayed
portion of an abbreviated host name to display the complete name, up to 256
bytes. You can also display the complete host name, up to 256 bytes, in the
packet view.
HTTP Response
Code
The HTTP status
code sent in response to a client's HTTP request over the connection that
triggered the event.
HTTP
URI
The raw URI, if present, associated with the HTTP request packet
that triggered the intrusion event. Note that request packets do not always
include a URI.
To associate URIs with intrusion events for HTTP traffic, you
must enable the HTTP Inspect preprocessor
Log URI option.
To see the associated HTTP URI in intrusion events triggered by
HTTP responses, you should configure HTTP server ports in the
Perform Stream Reassembly on Both Ports option;
note, however, that this increases resource demands for traffic reassembly.
This column displays the first fifty characters of the extracted
URI. You can hover your pointer over the displayed portion of an abbreviated
URI to display the complete URI, up to 2048 bytes. You can also display the
complete URI, up to 2048 bytes, in the packet view.
Impact
The impact level in this field indicates the correlation between
intrusion data, network discovery data, and vulnerability information. Valid
case-insensitive values are:
-
Impact 0,
Impact Level 0
-
Impact 1,
Impact Level 1
-
Impact 2,
Impact Level 2
-
Impact 3,
Impact Level 3
-
Impact 4,
Impact Level 4
Because no operating system information is
available for hosts added to the network map from NetFlow data, the system
cannot assign Vulnerable (impact level 1: red) impact levels for intrusion
events involving those hosts. In such cases, use the host input feature to
manually set the operating system identity for the hosts.
When searching this field, do not specify impact icon colors or
partial strings. For example, do not use
blue,
level
1, or
0.
Ingress
Interface
The ingress interface of the packet that triggered the event.
Only this interface column is populated for a passive interface.
Ingress
Security Zone
The ingress security zone of the packet that triggered the
event. Only this security zone field is populated in a passive deployment.
Inline
Result
In workflow and table views, this field displays one of the
following:
-
a black down arrow, indicating that the system dropped the
packet that triggered the rule
-
a gray down arrow, indicating that IPS would have dropped the
packet if you enabled the
Drop when
Inline intrusion policy option (in an inline deployment), or if a
Drop and Generate rule generated the event while the system was pruning
-
blank, indicating that the triggered rule was not set to Drop
and Generate Events
The system does not drop packets in a passive deployment,
including when an inline interface is in tap mode, regardless of the rule state
or the inline drop behavior of the intrusion policy.
When searching this field, enter either of the following:
-
dropped to
specify whether the packet is dropped in an inline deployment
-
would have
dropped to specify whether the packet would have dropped if the
intrusion policy had been set to drop packets in an inline deployment
Intrusion
Policy
The intrusion policy where the intrusion, preprocessor, or
decoder rule that generated the event was enabled. You can choose an intrusion
policy as the default action for an access control policy, or you can associate
an intrusion policy with an access control rule.
IOC
Whether the traffic that triggered the intrusion event also
triggered an indication of compromise (IOC) for a host involved in the
connection. When searching this field, specify
triggered or
n/a.
Message
The explanatory text for the event. For rule-based intrusion
events, the event message is pulled from the rule. For decoder- and
preprocessor-based events, the event message is hard coded.
MPLS
Label
The Multiprotocol Label Switching label associated with the
packet that triggered the intrusion event.
Network
Analysis Policy
The network analysis policy, if any, associated with the
generation of the event.
This column displays the first fifty characters of the extracted
URI. You can hover your pointer over the displayed portion of an abbreviated
URI to display the complete URI, up to 2048 bytes. You can also display the
complete URI, up to 2048 bytes, in the packet view.
Original
Client IP
The original client IP address that was extracted from an
X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header.
To display a value
for this field, you must enable the HTTP preprocessor
Extract Original Client IP Address option in the
network analysis policy. Optionally, in the same area of the network analysis
policy, you can also specify up to six custom client IP headers, as well as set
the priority order in which the system selects the value for the Original
Client IP event field.
Priority
The event priority as determined by the
Cisco Talos Security Intelligence and Research Group
(Talos).
The priority corresponds to either the value of the
priority keyword or the value for the
classtype keyword. For other intrusion events, the
priority is determined by the decoder or preprocessor. Valid values are high,
medium, and low.
Reviewed
By
The name of the user who reviewed the event. When searching this
field, you can enter
unreviewed to search for events that have not been
reviewed.
Security
Context
The metadata identifying the virtual firewall group through
which the traffic passed. The system only populates this field for
ASA FirePOWER
in multiple context mode.
Snort ID
(search only)
Specify the
Snort ID
(SID) of the rule that generated the event or, optionally, specify the
combination Generator ID (GID) and SID of the rule, where the GID and SID are
separated with a colon (:) in the format GID:SID. You can specify any of the
values in the following table:
Table 1 Snort ID
Search Values
Value
|
Example
|
a single SID
|
10000
|
a SID range
|
10000-11000
|
greater than a SID
|
>10000
|
greater than or equal to a SID
|
>=10000
|
less than a SID
|
<10000
|
less than or equal to a SID
|
<=10000
|
a comma-separated list of SIDs
|
10000,11000,12000
|
a single GID:SID combination
|
1:10000
|
a comma-separated list of GID:SID combinations
|
1:10000,1:11000,1:12000
|
a comma-separated list of SIDs and GID:SID combinations
|
10000,1:11000,12000
|
The SID of the events you are viewing is listed in the Message
column.
Source
Continent
The continent of the sending host involved in the intrusion
event.
Source
Country
The country of the sending host involved in the intrusion event.
Source
IP
The IP address used by the sending host involved in the
intrusion event.
Source Port /
ICMP Type
The port number on the sending host. For ICMP traffic, where
there is no port number, this field displays the ICMP type.
Source
User
The User ID for any known user logged in to the source host.
SSL Actual
Action (search only)
The action the system applied to encrypted traffic:
- Block/Block
with reset
-
Represents
blocked encrypted connections.
- Decrypt
(Resign)
-
Represents
an outgoing connection decrypted using a re-signed server certificate.
- Decrypt
(Replace Key)
-
Represents
an outgoing connection decrypted using a self-signed server certificate with a
substituted public key.
- Decrypt
(Known Key)
-
Represents
an incoming connection decrypted using a known private key.
- Default
Action
-
Indicates
the connection was handled by the default action.
- Do not
Decrypt
-
Represents a
connection the system did not decrypt.
Field values are displayed in the
SSL Status field on the search workflow pages.
SSL
Certificate Information (search only)
The information stored on the public key certificate used to
encrypt traffic, including:
-
Subject/Issuer Common Name
-
Subject/Issuer Organization
-
Subject/Issuer Organization Unit
-
Not Valid Before/After
-
Serial Number
-
Certificate
Fingerprint
-
Public Key Fingerprint
SSL Failure
Reason (search only)
The reason the system failed to decrypt encrypted traffic:
-
Unknown
-
No Match
-
Success
-
Uncached Session
-
Unknown Cipher Suite
-
Unsupported Cipher Suite
-
Unsupported SSL Version
-
SSL Compression Used
-
Session Undecryptable in Passive Mode
-
Handshake Error
-
Decryption Error
-
Pending Server Name Category Lookup
-
Pending Common Name Category Lookup
-
Internal Error
-
Network Parameters Unavailable
-
Invalid Server Certificate Handle
-
Server Certificate Fingerprint Unavailable
-
Cannot Cache Subject DN
-
Cannot Cache Issuer DN
-
Unknown SSL Version
-
External Certificate List Unavailable
-
External Certificate Fingerprint Unavailable
-
Internal Certificate List Invalid
-
Internal Certificate List Unavailable
-
Internal Certificate Unavailable
-
Internal Certificate Fingerprint Unavailable
-
Server Certificate Validation Unavailable
-
Server Certificate Validation Failure
-
Invalid Action
Field values are displayed in the
SSL Status field on the search workflow pages.
SSL
Status
The action associated with the
SSL Actual Action (SSL rule, default action, or
undecryptable traffic action) that logged the encrypted connection.
If the system fails to decrypt an encrypted connection, it
displays the
SSL Actual Action (undecryptable traffic action)
taken, as well as the
SSL Failure Reason. For example, if the system
detects traffic encrypted with an unknown cipher suite and allows it without
further inspection, this field displays
Do Not Decrypt (Unknown Cipher Suite).
Click the lock icon ()
to view certificate details.
When searching this field, enter one or more of the
SSL Actual Action and
SSL Failure Reason values to view encrypted traffic
the system handled or failed to decrypt.
SSL
Subject/Issuer Country (search only)
A two-character ISO 3166-1 alpha-2 country code for the subject
or issuer country associated with the encryption certificate.
Time
The date and time of the event. This field is not searchable.
VLAN
ID
The innermost VLAN ID associated with the packet that triggered
the intrusion event.
Web
Application
The web application, which represents the content or requested
URL for HTTP traffic detected in the traffic that triggered the intrusion
event.
If the system detects an application protocol of HTTP but cannot
detect a specific web application, the system supplies a generic web browsing
designation here.
Web
Application Category and Tag
Criteria that characterize the application to help you
understand the application's function.