About Detection of Host, Application, and User Data

Network discovery policies can only be configured for Secure Firewall Threat Defense devices that send events to a Network Analytics Manager. (The Network Analytics Manager is an on-premises Secure Firewall Management Center that is configured to provide event analytics only.)

The system uses network discovery and identity policies to collect host, application, and user data for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and respond to the vulnerabilities and exploits to which your organization is susceptible.

Host and Application Data

Host and application data is collected by host identity sources and application detectors according to the settings in your network discovery policy. Managed devices observe traffic on the network segments you specify.

For more information, see Host and Application Detection Fundamentals.

User Data

User data is collected by user identity sources according to the settings in your network discovery and identity policies. You can use the data for user awareness and user control.

For more information, see About User Identity.

Logging discovery and identity data allows you to take advantage of many features in the system, including:

  • Viewing the network map, which is a detailed representation of your network assets and topology that you can view by grouping hosts and network devices, host attributes, application protocols, or vulnerabilities.

  • Performing application and user control; that is, writing access control rules using application, realm, user, user group, and ISE attribute conditions.

  • Viewing host profiles, which are complete views of all the information available for your detected hosts.

  • Viewing dashboards, which (among other capabilities) can provide you with an at-a-glance view of your network assets and user activity.

  • Viewing detailed information on the discovery events and user activity logged by the system.

  • Associating hosts and any servers or clients they are running with the exploits to which they are susceptible.

    This enables you to identify and mitigate vulnerabilities, evaluate the impact that intrusion events have on your network, and tune intrusion rule states so that they provide maximum protection for your network assets

  • Alerting you by email, SNMP trap, or syslog when the system generates either an intrusion event with a specific impact flag, or a specific type of discovery event

  • Monitoring your organization’s compliance with an allow list of allowed operating systems, clients, application protocols, and protocols

  • Creating correlation policies with rules that trigger and generate correlation events when the system generates discovery events or detects user activity

  • Logging and using NetFlow connections, if applicable.