Select Event Types

In this step, you can specify the type of events that you want to send to Splunk. The recommended event types are selected by default. However, you can modify the default source for the event types.

Procedure

Step 1

To specify the event source for the event types, from the Source drop-down list, choose FTD or FMC, as applicable. The system default event sources are listed in this table.

Event type

Source (Default)

Applicable sources (Firewall Threat Defense, Firewall Management Center, or both)

Connection—Security or All

  • Security connection events implies sending only high-priority connection events

  • All implies sending all connection events.

Firewall Threat Defense

Both

Important

Sending connection events from the Management Center may cause performance issues.

Intrusion

Firewall Management Center

Both

Note

Sending intrusion events from the Threat Defense devices will not include impact flags.

AMP/Retrospective

Firewall Management Center

Firewall Management Center

File/Malware

Firewall Threat Defense

Both

User activity

Disabled

Firewall Management Center

Correlation

Disabled

Firewall Management Center

Discovery

Disabled

Firewall Management Center

Intrusion packet

Disabled

Both

Step 2

After selection, to reset to default settings, click Revert to system defaults.

Step 3

(Optional) To cancel the creation of the Splunk profile, click Cancel.

Step 4

(Optional) To go back to the previous step, click Back.

Step 5

To move to the next step in the Splunk configuration, click Next.