Connection and Security-Related Connection Event Fields

The access control policy that monitored the connection.

The access control rule or default action that handled the connection, as well as up to eight Monitor rules matched by that connection.

If the connection matched one Monitor rule, the Secure Firewall Management Center displays the name of the rule that handled the connection, followed by the Monitor rule name. If the connection matched more than one Monitor rule, the number of matching Monitor rules is displayed, for example, Default Action + 2 Monitor Rules.

To display a pop-up window with a list of the first eight Monitor rules matched by the connection, click N Monitor Rules.

The action associated with the configuration that logged the connection.

For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent rule or by the default action, the action associated with a connection logged due to a Monitor rule is never Monitor. However, you can still trigger correlation policy violations on connections that match Monitor rules.

In the Secure Firewall Management Center web interface, this value constrains summaries and graphs.

The application protocol, which represents communications between hosts, detected in the connection.

Criteria that characterize the application to help you understand the application's function.

The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated risk; this field displays the highest of those.

The business relevance associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.

The client application and version of that client detected in the connection.

If the system cannot identify the specific client used in the connection, the field displays the word "client" appended to the application protocol name to provide a generic name, for example, FTP client.

Criteria that characterize the application to help you understand the application's function.

A counter that distinguishes one connection from another simultaneous connection. This field has no significance on its own.

The following fields collectively uniquely identify a connection event: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.

The Snort instance that processed the connection event. This field has no significance on its own.

The following fields collectively uniquely identify a connection event: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.

This field exists ONLY as a syslog field; it does not exist in the Secure Firewall Management Center web interface. (The web interface conveys this information using the First Packet and Last Packet columns.)

This field has a value only when logging occurs at the end of the connection. For a start-of-connection syslog message, this field is not output, as it is not known at that time.

For an end-of-connection syslog message, this field indicates the number of seconds between the first packet and the last packet, which may be zero for a short connection. For example, if the timestamp of the syslog is 12:34:56 and the ConnectionDuration is 5, then the first packet was seen at 12:34:51.

The number of connections in a connection summary. For long-running connections, that is, connections that span multiple connection summary intervals, only the first connection summary interval is incremented. To view meaningful results for searches using the Connections criterion, use a custom workflow that has a connection summary page.

The number of connections that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. If you create a custom workflow and do not add the Count column to a drill-down page, each connection is listed individually and packets and bytes are not summed.

The IP address of the VPN peer (peer’s IKE address) which decrypts the packet for the associated connection.

You must enable logging setting for access control policy rule to log at the beginning of connection and end of connection to view the VPN peer IP address. If you enable the bypass Access Control Policy for decrypted traffic (sysopt connection permit-vpn) option, you cannot view details for decrypted traffic.

This field shows the source of detection of a client application. It can be AppID or Encrypted Visibility.

In the Secure Firewall Management Center web interface, these values constrain summaries and graphs.

The port or ICMP code used by the session responder.

This field holds the text value associated with the numeric value in DestinationSecurityGroupTag, if available. If the group name is not available as a text value, then this field contains the same integer value as the DestinationSecurityGroupTag field.

This field displays the source from which a security group tag was obtained.

The numeric Security Group Tag (SGT) attribute of the destination involved in the connection.

The Destination SGT value is obtained from the source specified in the DestinationSecurityGroupType field.

This field shows the source of detection of a client.

In the Secure Firewall Management Center web interface, this value constrains summaries and graphs.

The managed device that detected the connection or, for connections generated from NetFlow data, the managed device that processed the data.

The unique identifier of the firewall device that generated an event.

The following fields collectively uniquely identify a connection event: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.

The DNS query submitted in a connection to the name server to look up a domain name.

This field can also hold the domain name for URL filtering matches when DNS filtering is enabled. In this case, the URL field will be blank and the URL Category and URL Reputation fields contain the values associated with the domain.

For more information about DNS filtering, see DNS Filtering: Identify URL Reputation and Category During DNS Lookup.

The type of the DNS resource record used to resolve a DNS query submitted in a connection.

The DNS response returned in a connection to the name server when queried.

The name of the sinkhole server where the system redirected a connection.

The number of seconds a DNS server caches the DNS resource record.

The domain of the managed device that detected the connection or, for connections generated from NetFlow data, the domain of the managed device that processed the data. This field is only present if you have ever configured the management center for multitenancy.

The IP address of the VPN peer (peer’s IKE address) which encrypts the packet for the associated connection.

You must enable logging setting for access control policy rule to log at the beginning of connection and end of connection to view the VPN peer IP address.

The TLS fingerprint detected by the Encrypted Visibility Engine (EVE) for the session.

Process or client in the TLS client hello packet that was analyzed by the Encrypted Visibility Engine (EVE).

The confidence value in the range 0-100% that the encrypted visibility engine has detected the right process. For example, if the process name is Firefox and if the confidence score is 80%, it means that the engine is 80% confident that the process it has detected is Firefox.

The probability level that the process detected by the encrypted visibility engine contains threat. This field indicates the bands (Very High, High, Medium, Low, or Very Low) based on the value in the threat confidence score.

The confidence value in the range 0-100% that the process detected by the encrypted visibility engine contains threat. If the threat confidence score is very high, say 90%, then the Encrypted Visibility Process Name field displays "Malware."

The IP address of the network device that used ISE to authenticate the user, as identified by ISE.

The user's endpoint device type, as identified by ISE.

Whether or not the connection event is a high priority event. High priority events are connection events that are associated with an intrusion, Security Intelligence, file, or malware event. All other events are Low priority.

The number of files (including malware files) detected or blocked in a connection associated with one or more file events.

In the Secure Firewall Management Center web interface, the View Files icon links to a list of files. The number on the icon indicates the number of files (including malware files) detected or blocked in that connection.

The date and time the first or last packet of the session was seen.

The time the system encountered the first packet.

The following fields collectively uniquely identify a connection event: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.

The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a website that provided a link to, or imported a link from, another URL).

The HTTP status code sent in response to a client's HTTP request over a connection.

The ingress or egress interface associated with the connection. If your deployment includes an asymmetric routing configuration, the ingress and egress interface may not belong to the same inline pair.

The ingress or egress security zone associated with the connection.

For rezoned encapsulated connections, the ingress field displays the tunnel zone you assigned, instead of the original ingress security zone. The egress field is blank.

In networks using virtual routing, the names of the virtual routers through which traffic entered and exited the network.

The total number of bytes transmitted by the session initiator or received by the session responder.

When a routable IP is detected, the continent associated with the IP address for the session initiator or responder.

When a routable IP is detected, the country associated with the IP address of the session initiator or responder. The system displays an icon of the country’s flag, and the country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the country’s full name.

In the Secure Firewall Management Center web interface, these values constrain summaries and graphs.

The IP address (and host name, if DNS resolution is enabled) of the session initiator or responder.

In the Secure Firewall Management Center web interface, the host icon identifies the IP address that caused the connection to be blocked.

For plaintext, passthrough tunnels either blocked or fastpathed by the prefilter policy, initiator and responder IP addresses represent the tunnel endpoints—the routed interfaces of the network devices on either side of the tunnel.

The total number of packets transmitted by the session initiator or received by the session responder.

In the Secure Firewall Management Center web interface, this value constrains summaries and graphs.

The user logged into the session initiator. If this field is populated with No Authentication, the user traffic:

• matched an access control policy without an associated identity policy

• did not match any rules in the identity policy

If applicable, the username is preceded by <realm>\.

The number of intrusion events, if any, associated with the connection.

In the Secure Firewall Management Center web interface, the View Intrusion Events icon links to a list of events.

Whether the event triggered an indication of compromise (IOC) against a host involved in the connection.

Progression graph for viewing the progress of an attack in the ATT&CK framework at any given time during an event. Supports an expanded view in a new pane, detailing MITRE tactics, techniques, and progression graphs.

• Click the progression graph to see the details of the MITRE ATT&CK for an event. The MITRE ATT&CK window shows the tactic, technique, subtechnique, and the link to the MITRE page.

• In the window showing the details, click Details to view the general description of the technique.

The NAT translated IP address of the session initiator or responder.

The NAT translated port of the session initiator or responder.

The NetBIOS domain used in the session.

For connections generated from NetFlow data, the interface index for the interface where connection traffic entered or exited the NetFlow exporter.

For connections generated from NetFlow data, the border gateway protocol autonomous system number for the source or destination of traffic in the connection.

For connections generated from NetFlow data, the source or destination IP address ANDed with the source or destination prefix mask.

For connections generated from NetFlow data, the setting for the type-of-service (TOS) byte when connection traffic entered or exited the NetFlow exporter.

The network analysis policy (NAP), if any, associated with the generation of the event.

The country where the original client IP address belongs. To obtain this value, the system extracts the original client IP address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header, then maps it to the country using the geolocation database (GeoDB). To populate this field, you must enable an access control rule that handles proxied traffic based on its original client.

The original client IP address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header. To populate this field, you must enable an access control rule that handles proxied traffic based on its original client.

Non-MITRE information associated with an event that supports an expanded view.

The prefilter policy that handled the connection.

In the Secure Firewall Management Center web interface:

• This value constrains summaries and graphs.

• This field is available only as a search field.

The transport protocol used in the connection. To search for a specific protocol, use the name or number protocol as listed in http://www.iana.org/assignments/protocol-numbers.

For rate-limited connections, the name of the interface where you applied rate limiting.

The number of bytes dropped from the session initiator or session responder due to rate limiting.

The number of packets dropped from the session initiator or session responder due to rate limiting.

The QoS policy that rate limited the connection.

The QoS rule that rate limited the connection.

A 64 bit internal session identifier to uniquely identify a QUIC connection within the firewall.

A 62-bit stream identifier to uniquely identify a stream within a QUIC connection.

The reason or reasons the connection was logged, in many situations. .

Connections with a Reason of IP Block, DNS Block, and URL Block have a threshold of 15 seconds per unique initiator-responder pair. After the system blocks one of those connections, it does not generate connection events for additional blocked connections between those two hosts for the next 15 seconds, regardless of port or protocol.

If the protocol in the connection is HTTP or HTTPS, this field displays the host name that the respective protocol was using.

Which IP address matched.

Possible values: None, Destination, or Source.

For connections handled by ASA FirePOWER in multiple context mode, the metadata identifying the virtual firewall group through which the traffic passed.

The name of the object that represents or contains the IP address that caused the connection to be blocked. The Security Intelligence category can be the name of a network object or group, a Block list, a custom Security Intelligence list or feed, or one of the categories in the Intelligence Feed.

In the Secure Firewall Management Center web interface, DNS, Network (IP address), and URL Security Intelligence connection events are combined into a single category field. In syslog messages, those events are specific by type.

Security-related connection events include security intelligence events and other connection events such as the ones that triggered intrusion or malware events. The Security Intelligence Summary workflow displays all the security intelligence events by their category and count. The events without a security intelligence category are grouped and displayed with the count only.

For more information about the categories in the Intelligence Feed, see Security Intelligence Categories.

In the Secure Firewall Management Center web interface, this value constrains summaries and graphs.

The IP address of the NetFlow exporter that broadcast the data used to generate for the connection. If the connection was detected by a managed device, this field displays Firepower.

In the Secure Firewall Management Center web interface, these values constrain summaries and graphs.

The port or ICMP type used by the session initiator.

This field holds the text value associated with the numeric value in SourceSecurityGroupTag, if available. If the group name is not available as a text value, then this field contains the same integer value as the SourceSecurityGroupTag field. Tags can be obtained from inline devices (no source SGT name specified) or from ISE (which specifies a source).

This field displays the source from which a security group tag was obtained.

The numeric representation of the Security Group Tag (SGT) attribute of the packet involved in the connection. The SGT specifies the privileges of a traffic source within a trusted network. Security Group Access (a feature of both Cisco TrustSec and Cisco ISE) applies the attribute as packets enter the network.

In the Secure Firewall Management Center web interface, this field is a search field only.

The system displays field values in the SSL Status field on search workflow pages.

The action the system applied to encrypted traffic in the SSL policy.

In the Secure Firewall Management Center web interface, this field is a search field only.

The information stored on the public key certificate used to encrypt traffic, including:

• Subject/Issuer Common Name

• Subject/Issuer Organization

• Subject/Issuer Organization Unit

• Not Valid Before/After

• Serial Number

• Certificate Fingerprint

• Public Key Fingerprint

This applies only if you configured a Certificate Status SSL rule condition. If encrypted traffic matches an SSL rule, this field displays one or more of the following server certificate status values:

• Self Signed

• Valid

• Invalid Signature

• Invalid Issuer

• Expired

• Unknown

• Not Valid Yet

• Revoked

If undecryptable traffic matches an SSL rule, this field displays Not Checked.

A macro value representing a cipher suite used to encrypt the connection. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml for cipher suite value designations.

This field is available only as a search field in the Secure Firewall Management Center web interface.

Enter yes or no in the SSL search field to view TLS/SSL-encrypted or non-encrypted connections.

In the Secure Firewall Management Center web interface, this field is a search field only.

The action the system expected to apply to encrypted traffic, given the SSL rule in effect.

Enter any of the values listed for SSL Actual Action.

The reason the system failed to decrypt encrypted traffic:

• Unknown

• No Match

• Success

• Uncached Session

• Unknown Cipher Suite

• Unsupported Cipher Suite

• Unsupported SSL Version

• SSL Compression Used

• Session Undecryptable in Passive Mode

• Handshake Error

• Decryption Error

• Pending Server Name Category Lookup

• Pending Common Name Category Lookup

• Internal Error

• Incomplete Handshake

• Network Parameters Unavailable

• Invalid Server Certificate Handle

• Server Certificate Fingerprint Unavailable

• Cannot Cache Subject DN

• Cannot Cache Issuer DN

• Unknown SSL Version

• External Certificate List Unavailable

• External Certificate Fingerprint Unavailable

• Internal Certificate List Invalid

• Internal Certificate List Unavailable

• Internal Certificate Unavailable

• Internal Certificate Fingerprint Unavailable

• Server Certificate Validation Unavailable

• Server Certificate Validation Failure

• Invalid Action

Field values are displayed in the SSL Status field on the search workflow pages.

The error name and hexadecimal code if an error occurred during the TLS/SSL session; Success if no error occurred.

The first ten debugging level flags for an encrypted connection. On a workflow page, to view all flags, click the ellipsis (...).

The keywords below indicate encrypted traffic is associated with the specified message type exchanged between client and server during the TLS/SSL handshake. See http://tools.ietf.org/html/rfc5246 for more information.

• HELLO_REQUEST

• CLIENT_ALERT

• SERVER_ALERT

• CLIENT_HELLO

• SERVER_HELLO

• SERVER_CERTIFICATE

• SERVER_KEY_EXCHANGE

• CERTIFICATE_REQUEST

• SERVER_HELLO_DONE

• CLIENT_CERTIFICATE

• CLIENT_KEY_EXCHANGE

• CERTIFICATE_VERIFY

• CLIENT_CHANGE_CIPHER_SPEC

• CLIENT_FINISHED

• SERVER_CHANGE_CIPHER_SPEC

• SERVER_FINISHED

• NEW_SESSION_TICKET

• HANDSHAKE_OTHER

• APP_DATA_FROM_CLIENT

• APP_DATA_FROM_SERVER

• SERVER_NAME_MISMATCH

  The server certificate seen in the session has a Common Name or SAN values not corresponding to the destined domain name.

• CERTIFICATE_CACHE_HIT

  A certificate matching the destined domain name was found in the cache.

• CERTIFICATE_CACHE_MISS

  A certificate matching the destined domain name was not found in the cache.

The SSL policy that handled the connection.

If TLS server identity discovery is enabled in the access control policy advanced settings, and there is no SSL policy associated with the access control policy, this field holds none for all SSL events.

The SSL rule or default action that handled the connection, as well as the first Monitor rule matched by that connection. If the connection matched a Monitor rule, the field displays the name of the rule that handled the connection, followed by the Monitor rule name.

This field exists ONLY as a syslog field; it does not exist in the Secure Firewall Management Center web interface.

Hostname of the server with which the client established an encrypted connection.

The hexadecimal Session ID negotiated between the client and server during the TLS/SSL handshake.

The action associated with the SSL Actual Action (SSL rule, default action, or undecryptable traffic action) that logged the encrypted connection. The Lock icon links to SSL certificate details. If the certificate is unavailable (for example, for connections blocked due to TLS/SSL handshake error), the lock icon is dimmed.

If the system fails to decrypt an encrypted connection, it displays the SSL Actual Action (undecryptable traffic action) taken, as well as the SSL Failure Reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection, this field displays Do Not Decrypt (Unknown Cipher Suite).

If the SSL handshake of an encrypted connection is incomplete and the system fails to decrypt the traffic, SSL Status field displays Unknown (Incomplete Handshake).

When searching this field, enter one or more of the SSL Actual Action and SSL Failure Reason values to view encrypted traffic the system handled or failed to decrypt.

This field is available only in the Secure Firewall Management Center web interface, and only as a search field.

A two-character ISO 3166-1 alpha-2 country code for the subject or issuer country associated with the encryption certificate.

A hexadecimal hash value of the session ticket information sent during the TLS/SSL handshake.

URL categories for the URL visited in the encrypted connection.

This field exists ONLY as a syslog field; in the Secure Firewall Management Center web interface, values in this field are included in the URL Category column.

See also URL.

The TLS/SSL protocol version used to encrypt the connection:

• Unknown

• SSLv2.0

• SSLv3.0

• TLSv1.0

• TLSv1.1

• TLSv1.2

• TLSv1.3

For connections generated from NetFlow data, the TCP flags detected in the connection.

When searching this field, enter a list of comma-separated TCP flags to view all connections that have at least one of those flags.

The ending time of the five-minute interval that the system used to aggregate connections in a connection summary. This field is not searchable.

This field is available only as a search field.

The total number of packets transmitted in the connection.

This field is available only as a search field.

The total amount of data transmitted in the connection, in kilobytes.

The tunnel rule, prefilter rule, or prefilter policy default action that handled the connection.

The URL requested by the monitored host during the session and its associated category and reputation, if available.

For an event to display URL category and reputation, you must include the applicable URL rules in an access control policy and configure the rule with URL category and URL reputation under the URLs tab.

URL category and reputation do not appear in an event if the connection is processed before it matches a URL rule.

If the URL column is empty and DNS filtering is enabled, the DNS Query field shows the domain, and the URL Category and URL Reputation values apply to the domain.

If the system identifies or blocks a TLS/SSL application, the requested URL is in encrypted traffic, so the system identifies the traffic based on an SSL certificate. For TLS/SSL applications, therefore, this field indicates the common name contained in the certificate.

See also SSLURLCategory, above.

The user-agent string application information extracted from HTTP traffic detected in the connection.

The innermost VLAN ID associated with the packet that triggered the connection.

VPN action associated with the connection.

Possible values are:

• Encrypt: VPN encrypts the traffic for the logged connection. See Encrypt Peer column to know the IP address of the VPN peer which encrypts the connection.

• Decrypt: VPN decrypts the traffic for the logged connection. See Encrypt Peer column to know the IP address of the VPN peer which decrypts the connection.

• VPN Routing: The traffic transitions through the VPN tunnel. VPN performs decryption at the beginning of connection and encryption at the end of connection. See Encrypt Peer and Decrypt Peer columns to know the IP addresses of the VPN peers which encrypts and decrypts the connection.

The web application, which represents the content or requested URL for HTTP traffic detected in the connection.

If the web application does not match the URL for the event, the traffic is probably referred traffic, such as advertisement traffic. If the system detects referred traffic, it stores the referring application (if available) and lists that application as the web application.

If the system cannot identify the specific web application in HTTP traffic, this field displays Web Browsing.

Criteria that characterize the application to help you understand the application's function.