The system can generate the following types of events. You must generate these events to see related statistics in the monitoring dashboards.
Data (Diagnostic) Events
Data logging provides syslog messages for events related to device and system health, and the network configuration, that are not related to connections. You configure connection logging within individual access control rules.
Data logging generates messages for features running on the data plane, that is, features that are defined in the CLI configuration that you can view with the show running-config command. This includes features such as routing, VPN, data interfaces, DHCP server, NAT, and so forth.
You can generate events for connections as users generate traffic that passes through the system. Enable connection logging on access rules to generate these events. You can also enable logging on Security Intelligence policies and SSL decryption rules to generate connection events.
Connection events contain data about the detected sessions. The information available for any individual connection event depends on several factors, but in general includes:
- Basic connection properties: timestamp, source and destination IP address, ingress and egress zones, the device that handled the connection, and so on.
- Additional connection properties discovered or inferred by the system: applications, requested URLs, or users associated with the connection, and so on.
- Metadata about why the connection was logged: which configuration handled the traffic, whether the connection was allowed or blocked, details about encrypted and decrypted connections, and so on
The system examines the packets that traverse your network for malicious activity that could affect the availability, integrity, and confidentiality of a host and its data. When the system identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, type of exploit, and contextual information about the source of the attack and its target. Intrusion events are generated for any intrusion rule set to block or alert, regardless of the logging configuration of the invoking access control rule.
File events represent files that the system detected, and optionally blocked, in network traffic based on your file policies. You must enable file logging on the access rule that applies the file policy to generate these events.
When the system generates a file event, the system also logs the end of the associated connection regardless of the logging configuration of the invoking access control rule.
The system can detect malware in network traffic as part of your overall access control configuration. AMP for Firepower can generate a malware event, containing the disposition of the resulting event, and contextual data about how, where, and when the malware was detected. You must enable file logging on the access rule that applies the file policy to generate these events.
The disposition of a file can change, for example, from clean to malware or from malware to clean. If AMP for Firepower queries the AMP cloud about a file, and the cloud determines the disposition has changed within a week of the query, the system generates retrospective malware events.
Security Intelligence Events
Security Intelligence events are a type of connection event generated by the Security Intelligence policy for each connection blacklisted (blocked) or monitored by the policy. All Security Intelligence events have a populated Security Intelligence Category field.
For each of these events, there is a corresponding “regular” connection event. Because the Security Intelligence policy is evaluated before many other security policies, including access control, when a connection is blocked by Security Intelligence, the resulting event does not contain the information that the system would have gathered from subsequent evaluation, for example, user identity.