https://community.cisco.com/t5/network-security/analyzing-threat-detection-who-did-what-when/m-p/2662608#M194931 <P>Hi,</P><P>I'm trying to identify who is the source of several 733100 messages in my syslogs on an ASA 5520. &nbsp;I have the following threat-detection configurations enabled:</P><P>&nbsp;</P><P>threat-detection basic-threat<BR />threat-detection statistics<BR />threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200<BR />&nbsp; subscribe-to-alert-group threat</P><P>However, when the 733100 syslogs come in, they do not say the source or destination ip address. &nbsp;I am able to look at the statistics for each of these detected threats, but I am not sure how to correlate the syslog message to a host in the list. &nbsp;For example,</P><P>Apr 16 2015 10:44:05 ASA-1&nbsp;: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is 10; Current average rate is 38 per second, max configured rate is 5; Cumulative total count is 23268</P><P>I then issue the following:</P><P>show threat-detection statistics top rate-1</P><P>And I see several hosts, but there doesn't seem to be an easy way to say "syslog @ 10:44:05 was host 8.8.8.8" (or whatever the source would be). &nbsp;Is there a document that helped you figure this out? Any advice?</P><P>We don't want to shun any hosts, but we do want to know who is doing what and when, so we can talk to the internal user and tell them to stop.</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:47:26 GMT pdub206 2019-03-12T05:47:26Z https://community.cisco.com/t5/network-security/analyzing-threat-detection-who-did-what-when/m-p/2662608#M194931 <P>Hi,</P><P>I'm trying to identify who is the source of several 733100 messages in my syslogs on an ASA 5520. &nbsp;I have the following threat-detection configurations enabled:</P><P>&nbsp;</P><P>threat-detection basic-threat<BR />threat-detection statistics<BR />threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200<BR />&nbsp; subscribe-to-alert-group threat</P><P>However, when the 733100 syslogs come in, they do not say the source or destination ip address. &nbsp;I am able to look at the statistics for each of these detected threats, but I am not sure how to correlate the syslog message to a host in the list. &nbsp;For example,</P><P>Apr 16 2015 10:44:05 ASA-1&nbsp;: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is 10; Current average rate is 38 per second, max configured rate is 5; Cumulative total count is 23268</P><P>I then issue the following:</P><P>show threat-detection statistics top rate-1</P><P>And I see several hosts, but there doesn't seem to be an easy way to say "syslog @ 10:44:05 was host 8.8.8.8" (or whatever the source would be). &nbsp;Is there a document that helped you figure this out? Any advice?</P><P>We don't want to shun any hosts, but we do want to know who is doing what and when, so we can talk to the internal user and tell them to stop.</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:47:26 GMT https://community.cisco.com/t5/network-security/analyzing-threat-detection-who-did-what-when/m-p/2662608#M194931 pdub206 2019-03-12T05:47:26Z https://community.cisco.com/t5/network-security/analyzing-threat-detection-who-did-what-when/m-p/2662609#M194932 <P>Hi,</P><P>I don't think you would be able to get more information from these syslog.</P><P>As you have Statistics Threat Detection enabled , I would recommend enabling other commands and then you would be able to find out more information on them.</P><P>Refer:-</P><P>http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html</P><P>These command you would be able to use:-</P><P>show threat-detection statistics host<BR />show threat-detection statistics port<BR />show threat-detection statistics protocol<BR />show threat-detection statistics top</P><P><BR />Also , ASDM graphs would be helpful.</P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/intro.html#wp1044840</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Fri, 17 Apr 2015 12:00:03 GMT https://community.cisco.com/t5/network-security/analyzing-threat-detection-who-did-what-when/m-p/2662609#M194932 Vibhor Amrodia 2015-04-17T12:00:03Z