View EVE Events

After enabling the Encrypted Visibility Engine and deploying your access control policy, you can start sending live traffic through your system. You can view the logged connection events in the Connection Events page. To access the connection events, in the management center:

Procedure

Step 1

Click Analysis > Connections > Events.

Step 2

Click the Table View of Connection Events tab.

You can also view the connection event fields in the Unified Events viewer, which is under the Analysis menu.

Encrypted Visibility Engine can identify the client process that initiated a connection, the OS on the client, and if the process contains malware or not.

Step 3

In the Connection Events page, view the following columns that are added for Encrypted Visibility Engine. Note that you must explicitly enable the mentioned columns.

Encrypted Visibility Process Name
Encrypted Visibility Process Confidence Score
Encrypted Visibility Threat Confidence
Encrypted Visibility Threat Confidence Score
Detection Type

For information about these fields, see the section Connection and Security Intelligence Event Fields in the Connection and Security-Related Connection Events chapter of the Cisco Secure Firewall Management Center Administration Guide.

Note

In the Connection Events page, if processes are assigned applications, the Detection Type column displays Encrypted Visibility Engine indicating that the client application was identified by EVE. Without application assignments to process names, the Detection Type column displays AppID indicating that the engine that identified the client application was AppID.