Correlation and Compliance Events

The following topics describe how to view correlation and compliance events.

Viewing Correlation Events

When a correlation rule within an active correlation policy triggers, the system generates a correlation event and logs it to the database.


Note


When a compliance white list within an active correlation policy triggers, the system generates a white list event.


You can view a table of correlation events, then manipulate the event view depending on the information you are looking for.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

The page you see when you access correlation events differs depending on the workflow you use. You can use the predefined workflow, which includes the table view of correlation events. You can also create a custom workflow that displays only the information that matches your specific needs.

Before you begin

You must be an Admin or Security Analyst user to perform this task.

Procedure


Step 1

Choose Analysis > Correlation > Correlation Events .

Optionally, to use a different workflow, including a custom workflow, click (switch workflow) by the workflow title.

Tip

 

If you are using a custom workflow that does not include the table view of correlation events, click (switch workflow), then choose Correlation Events.

Step 2

Optionally, adjust the time range as described in Changing the Time Window.

Step 3

Perform any of the following actions:

  • To learn more about the columns that appear, see Correlation Event Fields.

  • To view the host profile for an IP address, click host profile that appears next to the IP address.

  • To view user identity information, click the user icon that appears next to the User Identity, or for users associated with IOCs,Red User.

  • To sort and constrain events or to navigate within the current workflow page, see Using Workflows.

  • To navigate between pages in the current workflow, keeping the current constraints, click the appropriate page link at the top left of the workflow page.

  • To drill down to the next page in the Workflows, constraining on a specific value, see Using Drill-Down Pages.

  • To delete some or all correlation events, check the check boxes next to the events you want to delete and click Delete, or click Delete All and confirm you want to delete all the events in the current constrained view.

  • To navigate to other event views to view associated events, see Inter-Workflow Navigation.

  • To view data in available sources external to your Firepower system, right-click an event value. The options you see depend on the data type and include public sources; other sources depend on the resources you have configured. For information, see Event Investigation Using Web-Based Resources

  • To gather intelligence about an event, right-click an event value in the table and choose from a Cisco or third-party intelligence source. For example, you can get details about a suspicious IP address from Cisco Talos. The options you see depend on the data type and the integrations that are configured on your system. For more information, see Event Investigation Using Web-Based Resources.


Correlation Event Fields

When a correlation rule triggers, the system generates a correlation event. The fields in the correlation events table that can be viewed and searched are described in the following table.

Table 1. Correlation Event Fields

Field

Description

Description

The description of the correlation event. The information in the description depends on how the rule was triggered.

For example, if the rule was triggered by an operating system information update event, the new operating system name and confidence level appears.

Device

The name of the device that generated the event that triggered the policy violation.

Domain

The domain of the device whose monitored traffic triggered the policy violation. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Impact

The impact level assigned to the correlation event based on the correlation between intrusion data, discovery data, and vulnerability information.

When searching this field, valid case-insensitive values are Impact 0, Impact Level 0, Impact 1, Impact Level 1, Impact 2, Impact Level 2, Impact 3, Impact Level 3, Impact 4, and Impact Level 4. Do not use impact icon colors or partial strings (for example, do not use blue, level 1, or 0).

Ingress Interface or
Egress Interface

The ingress or egress interface in the intrusion or connection event that triggered the policy violation.

Ingress Security Zone or
Egress Security Zone

The ingress or egress security zone in the intrusion or connection event that triggered the policy violation.

Inline Result

One of:

  • a black down arrow, indicating that the system dropped the packet that triggered the intrusion rule

  • a gray down arrow, indicating that the system would have dropped the packet in an inline, switched, or routed deployment if you enabled the Drop when Inline intrusion policy option

  • blank, indicating that the triggered intrusion rule was not set to Drop and Generate Events

When using this field to search for policy violations triggered by intrusion events, type either:

  • dropped, to specify whether the packet was dropped in an inline, switched, or routed deployment

  • would have dropped, to specify whether the packet would have dropped if the intrusion policy had been set to drop packets in an inline, switched, or routed deployment

Note that the system does not drop packets in a passive deployment, including when an inline set is in tap mode, regardless of the rule state or the drop behavior of the intrusion policy.

Policy

The name of the policy that was violated.

Priority

The priority of the correlation event, which is determined by the priority of either the triggered rule or the violated correlation policy. When searching this field, enter none for no priority.

Rule

The name of the rule that triggered the policy violation.

Security Intelligence Category

The name of the object that represents or contains the blocked IP address in the event that triggered the policy violation.

When searching this field, specify the Security Intelligence category associated with the correlation event that triggered the policy violation. The Security Intelligence category can be the name of a Security Intelligence object, the global Block list, a custom Security Intelligence list or feed, or one of the categories in the Intelligence Feed.

Source Continent or Destination Continent

The continent associated with the source or destination host IP addresses in the event that triggered the policy violation.

Source Country or Destination Country

The country associated with the source or destination IP address in the event that triggered the policy violation.

Source Host Criticality or Destination Host Criticality

The user-assigned host criticality of the source or destination host involved in the correlation event: None, Low, Medium, or High.

Note that only correlation events generated by rules based on discovery events, host input events, or connection events contain a source host criticality.

Source IP or
Destination IP

The IP address of the source or destination host in the event that triggered the policy violation.

Source Port/ICMP Type or Destination Port/ICMP Code

The source port or ICMP type for the source traffic or the destination port or ICMP code for destination traffic associated with the event that triggered the policy violation.

Source User or
Destination User

The name of the user logged in to the source or destination host in the event that triggered the policy violation.

Time

The date and time that the correlation event was generated. This field is not searchable.

Count

The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. This field is not searchable

Using Compliance White List Workflows

The Firepower Management Center provides a set of workflows that you can use to analyze the white list events and violations that are generated for your network. The workflows are, along with the network map and dashboard, a key source of information about the compliance of your network assets.

The system provides predefined workflows for white list events and violations. You can also create custom workflows. When you are using a compliance white list workflow, you can perform many common actions.

Before you begin

You must be an Admin, Security Analyst, or Discovery Admin user to perform this task.

Procedure


Step 1

Access a white list workflow using the Analysis > Correlation menu.

Step 2

You have the following options:

  • Switch Workflow — To use a different workflow, including a custom workflow, click (switch workflow).

  • Time Range — To adjust the time range, which is useful if no events appear, see Changing the Time Window.

  • Host Profile — To view the host profile for an IP address, click Host Profile() or, for hosts with active indications of compromise (IOC) tags, the Compromised Host that appears next to the IP address.

  • User Profile (events only) — To view user identity information, click the user icon that appears next to the User Identity, or for users associated with IOCs,Red User.

  • Constrain — To constrain the columns that appear, click Close (close icon) in the column heading that you want to hide. In the pop-up window that appears, click Apply.

    Tip

     

    To hide or show other columns, select or clear the appropriate check boxes before you click Apply. To add a disabled column back to the view, expand the search constraints, then click the column name under Disabled Columns.

  • Drill Down — See Using Drill-Down Pages.

  • Sort — To sort data in a workflow, click the column title. Click the column title again to reverse the sort order.

  • Navigate This Page — See Workflow Page Traversal Tools.

  • Navigate Between Pages — To navigate between pages in the current workflow, keeping the current constraints, click the appropriate page link at the top left of the workflow page.

  • Navigate Between Event Views — To navigate to other event views to view associated events, click Jump to and select the event view from the drop-down list.

  • Delete Events (events only) — To delete some or all items in the current constrained view, select the check boxes next to items you want to delete and click Delete or click Delete All.


Viewing White List Events

After its initial evaluation, the system generates a white list event whenever a monitored host goes out of compliance with an active white list. White list events are a special kind of correlation event, and are logged to the FMC correlation event database.

You can use the Firepower Management Center to view a table of compliance white list events. Then, you can manipulate the event view depending on the information you are looking for.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

The page you see when you access white list events differs depending on the workflow you use. You can use a predefined workflow, which terminates in a table view of events. You can also create a custom workflow that displays only the information that matches your specific needs.

Before you begin

You must be an Admin, Security Analyst, or Discovery Admin user to perform this task.

Procedure


Step 1

Choose Analysis > Correlation> White List Events.

Step 2

You have the following options:


White List Event Fields

White list events, which you can view and search using workflows, contain the following fields.

Device

The name of the managed device that detected the white list violation.

Description

A description of how the white list was violated. For example:

Client “AOL Instant Messenger” is not allowed.

Violations that involve an application protocol indicate the application protocol name and version, as well as the port and protocol (TCP or UDP) it is using. If you restrict prohibitions to a particular operating system, the description includes the operating system name. For example:

Server "ssh / 22 TCP (OpenSSH 3.6.1p2)" is not allowed on Operating System “Linux Linux 2.4 or 2.6”.

Domain

The domain of the host that has become non-compliant with the white list. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Host Criticality

The user-assigned host criticality of the source host that is out of compliance with the white list: None, Low, Medium, or High.

IP Address

The IP address of the host that has become non-compliant with the white list.

Policy

The name of the correlation policy that was violated, that is, the correlation policy that includes the white list.

Port

The port, if any, associated with the discovery event that triggered an application protocol white list violation (a violation that occurred as a result of a non-compliant application protocol). For other types of white list violations, this field is blank.

Priority

The priority specified by the policy or white list that triggered the policy violation. This is determined either by the priority of the white list in a correlation policy or by the priority of the correlation policy itself. Note that the white list priority overrides the priority of its policy. When searching this field, enter none for no priority.

Time

The date and time that the white list event was generated. This field is not searchable.

User

The identity of any known user logged in to the host that has become non-compliant with the white list.

White List

The name of the white list.

Count

The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. This field is not searchable.

Viewing White List Violations

The system keeps a record of the current white list violations on your network. Each violation represents something disallowed running on one of your hosts. If a host becomes compliant, the system removes the now-corrected violation from the database.

You can use the Firepower Management Center to view a table of white list violations for all active white lists. Then, you can manipulate the event view depending on the information you are looking for.

The page you see when you access white list violations differs depending on the workflow you use. The predefined workflows terminate in a host view, which contains a host profile for every host that meets your constraints. You can also create a custom workflow that displays only the information that matches your specific needs.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Procedure


Step 1

Choose Analysis > Correlation > White List Violations.

Step 2

You have the following options:


White List Violation Fields

White list violations, which you can view and search using workflows, contain the following fields.

Domain

The domain where the non-compliant host resides. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Information

Any available vendor, product, or version information associated with the white list violation. For protocols that violate a white list, this field also indicates whether the violation is due to a network or transport protocol.

IP Address

The IP address of the non-compliant host.

Port

The port, if any, associated with the event that triggered an application protocol white list violation (a violation that occurred as a result of a non-compliant application protocol). For other types of white list violations, this field is blank.

Protocol

The protocol, if any, associated with the event that triggered an application protocol white list violation (a violation that occurred as a result of a non-compliant application protocol). For other types of white list violations, this field is blank.

Time

The date and time that the white list violation was detected.

Type

The type of white list violation, that is, whether the violation occurred as a result of a non-compliant:

  • operating system (os) (When searching this field, enter os or operating system.)

  • application protocol (server)

  • client

  • protocol

  • web application (web) (When searching this field, enter web application.)

White List

The name of the white list that was violated.

Count

The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. This field is not searchable.

Remediation Status Events

When a remediation triggers, the system logs a remediation status event to the database. These events can be viewed on the Remediation Status page. You can search, view, and delete remediation status events.

Viewing Remediation Status Events

The page you see when you access remediation status events differs depending on the workflow you use. You can use the predefined workflow, which includes a table view of remediations. The table view contains a row for each remediation status event. You can also create a custom workflow that displays only the information that matches your specific needs.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Before you begin

You must be an Admin user to perform this task.

Procedure


Step 1

Choose Analysis > Correlation > Status.

Step 2

Optionally, adjust the time range as described in Changing the Time Window.

Step 3

Optionally, to use a different workflow, including a custom workflow, click (switch workflow) by the workflow title.

Tip

 

If you are using a custom workflow that does not include the table view of remediations, click (switch workflow) menu by the workflow title, then choose Remediation Status.

Step 4

You have the following options:

  • To learn more about the columns that appear, see Remediation Status Table Fields.

  • To sort and constrain the events, see Using Workflows.

  • To navigate to the correlation events view to see associated events, click Correlation Events.

  • To bookmark the current page so that you can quickly return to it, click Bookmark This Page. To navigate to the bookmark management page, click View Bookmarks.

  • To generate a report based on the data in the table view, click Report Designer as described in Creating a Report Template from an Event View.

  • To drill down to the next page in the workflow, see Using Drill-Down Pages.

  • To delete remediation status events from the system, check the check boxes next to events you want to delete and click Delete or click Delete All and confirm you want to delete all the events in the current constrained view.

  • To search for remediation status events, click Search.


Remediation Status Table Fields

The following table describes the fields in the remediation status table that can be viewed and searched.

Table 2. Remediation Status Fields

Field

Description

Domain

The domain of the device whose monitored traffic triggered the policy violation, that in turn triggered the remediation. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Policy

The name of the correlation policy that was violated and triggered the remediation.

Remediation Name

The name of the remediation that was launched.

Result Message

A message that describes what happened when the remediation was launched. Status messages include:

  • Successful completion of remediation

  • Error in the input provided to the remediation module

  • Error in the remediation module configuration

  • Error logging into the remote device or server

  • Unable to gain required privileges on remote device or server

  • Timeout logging into remote device or server

  • Timeout executing remote commands or servers

  • The remote device or server was unreachable

  • The remediation was attempted but failed

  • Failed to execute remediation program

  • Unknown/unexpected error

If custom remediation modules are installed, you may see additional status messages that are implemented by the custom module.

Rule

The name of the correlation rule that triggered the remediation.

Time

The date and time that the Firepower Management Center launched the remediation

Count

The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. This field is not searchable.

Using the Remediation Status Events Table

You can change the layout of the event view or constrain the events in the view by a field value.

When you disable a column, it is disabled for the duration of your session unless you add it back later. If you disable the first column, the Count column is added.

Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.


Tip


Table views always include “Table View” in the page name.


In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Before you begin

You must be an Admin user to perform this task.

Procedure


Step 1

Choose Analysis > Correlation > Status.

Tip

 

If you are using a custom workflow that does not include the table view of remediations, click (switch workflow) menu by the workflow title, then choose Remediation Status.

Step 2

You have the following options: