topic Firepower IPS Syslog Classification in Network Security https://community.cisco.com/t5/network-security/firepower-ips-syslog-classification/m-p/4413853#M1081335 <P>I would like to ask for assistance in determining what time of syslog events are being received by our syslog server:</P><P>These are, I think Intrusion Events</P><P>Device SFIMS: [1:43687:2] "INDICATOR-COMPROMISE Suspicious .top dns query" [Impact: Potentially Vulnerable] From "Device" at Tue Jun 1 23:44:54 2021 UTC [Classification: Misc Activity] [Priority: 3] {udp} x.x.x.x:60786 (unknown)-&gt;y.y.y.y:53 (unknown)</P><P>&nbsp;</P><P>Device SFIMS: [1:38355:3] "MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive" [Impact: Vulnerable] From "Device" at Tue Jun 1 22:12:50 2021 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} x.x.x.x:14411 (unknown)-&gt;y.y.y.y:3306 (japan)</P><P>&nbsp;</P><P>This is a Connection Event:</P><P>Device SFIMS: Protocol: UDP, SrcIP: x.x.x.x, DstIP: y.y.y.y, SrcPort: 55745, DstPort: 53, TCPFlags: 0x0, IngressInterface: s1p2, EgressInterface: s1p1, IngressZone: Inside Zone, EgressZone: Outside Zone, DE: Primary Detection Engine (removed), Policy: Access Control Policy, ConnectType: Start, AccessControlRuleName: (removed), AccessControlRuleAction: Allow, Client: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 83, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: (removed), DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown</P><P>&nbsp;</P><P>But how about this one, I'm unsure if it is also an Intrusion Event, as the format is different:</P><P>2021-05-30 14:00:16.000 +08:00 Device SFIMS: &lt;*- Host IOC Set From Device at Sun May 30 14:00:16 2021 UTC -*&gt; IP Address: x.x.x.x Category: CnC Connected; Event Type: Intrusion Event - malware-cnc</P> Mon, 07 Jun 2021 08:23:01 GMT Jarby23 2021-06-07T08:23:01Z Firepower IPS Syslog Classification https://community.cisco.com/t5/network-security/firepower-ips-syslog-classification/m-p/4413853#M1081335 <P>I would like to ask for assistance in determining what time of syslog events are being received by our syslog server:</P><P>These are, I think Intrusion Events</P><P>Device SFIMS: [1:43687:2] "INDICATOR-COMPROMISE Suspicious .top dns query" [Impact: Potentially Vulnerable] From "Device" at Tue Jun 1 23:44:54 2021 UTC [Classification: Misc Activity] [Priority: 3] {udp} x.x.x.x:60786 (unknown)-&gt;y.y.y.y:53 (unknown)</P><P>&nbsp;</P><P>Device SFIMS: [1:38355:3] "MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive" [Impact: Vulnerable] From "Device" at Tue Jun 1 22:12:50 2021 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} x.x.x.x:14411 (unknown)-&gt;y.y.y.y:3306 (japan)</P><P>&nbsp;</P><P>This is a Connection Event:</P><P>Device SFIMS: Protocol: UDP, SrcIP: x.x.x.x, DstIP: y.y.y.y, SrcPort: 55745, DstPort: 53, TCPFlags: 0x0, IngressInterface: s1p2, EgressInterface: s1p1, IngressZone: Inside Zone, EgressZone: Outside Zone, DE: Primary Detection Engine (removed), Policy: Access Control Policy, ConnectType: Start, AccessControlRuleName: (removed), AccessControlRuleAction: Allow, Client: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 83, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: (removed), DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown</P><P>&nbsp;</P><P>But how about this one, I'm unsure if it is also an Intrusion Event, as the format is different:</P><P>2021-05-30 14:00:16.000 +08:00 Device SFIMS: &lt;*- Host IOC Set From Device at Sun May 30 14:00:16 2021 UTC -*&gt; IP Address: x.x.x.x Category: CnC Connected; Event Type: Intrusion Event - malware-cnc</P> Mon, 07 Jun 2021 08:23:01 GMT https://community.cisco.com/t5/network-security/firepower-ips-syslog-classification/m-p/4413853#M1081335 Jarby23 2021-06-07T08:23:01Z