Configure EVE

Procedure

Step 1

Choose Policies > Access Control.

Step 2

Click Edit (edit icon) next to the access control policy you want to edit.

Step 3

Choose Advanced Settings from the More drop-down arrow at the end of the packet flow line.

Step 4

Click Edit (edit icon) next to Encrypted Visibility Engine.

Step 5

In the Encrypted Visibility Engine page, enable the Encrypted Visibility Engine (EVE) toggle button.

Step 6

Use EVE for Application Detection—This toggle button is enabled by default, which means that EVE is allowed to assign client applications to processes.

EVE's fingerprint information is added in the Encrypted Visibility Fingerprint column header of the connection events or unified events. For further analysis of the EVE data collected, you can right-click the fingerprint information to open a dropdown menu. In the menu, click View Encrypted Visibility Engine Process Analysis to go to appid.cisco.com and view details, such as the fingerprint, VDB version, and so on. Different rows with the same fingerprint string and potential process names associated with them and their prevalence are displayed. Prevalence indicates the frequency of a process associated with a particular fingerprint in the data collection system. You can choose the process names and click Submit Request to give feedback about any discrepancy in EVE's process detection. For example, you can submit requests if the process name that is detected does not match with the traffic that is being sent or if the process name is not detected at all for a particular fingerprint.

If you disable the Use EVE for Application Detection toggle button:

  • AppID-identified clients are assigned to processes and you can see the EVE process and score, but there is no mapping of EVE-detected processes to applications and no action is taken. You can see the details of the events under Connection Events or Unified Events. To see the difference in connection events (with and without application assignment), see the Client Application column header.

  • The Encrypted Visibility Fingerprint field in the connection events or unified events is empty.

Step 7

Enable the Block Traffic Based on EVE Score toggle button to block traffic based on EVE's threat confidence score. Any incoming traffic that is a potential threat is blocked by default.

The default block threshold is 99 percent, which means:

  • If EVE detects the traffic to be malware with 99 percent confidence or more, the traffic is blocked.

  • If EVE detects the traffic to be malware with less than 99 percent confidence, EVE takes no action.

Note

If EVE has blocked the traffic, in the Connection Events page, the Reason column header displays Encrypted Visiblity Block.

Step 8

Use the slider to adjust the threshold for blocking based on EVE's threat confidence, which ranges from Very Low to Very High.

Step 9

For further granular control, enable the Advanced Mode toggle button. Now, you can assign a specific EVE Threat Confidence Score for blocking traffic. The default block threshold is 99 percent.

Caution

We recommend that you do not set a threshold below 50 percent to ensure optimal performance.

Step 10

Click OK.

Step 11

Click Save.

What to do next

Deploy configuration changes.