Hi,

I'm trying to identify who is the source of several 733100 messages in my syslogs on an ASA 5520.  I have the following threat-detection configurations enabled:

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  subscribe-to-alert-group threat

However, when the 733100 syslogs come in, they do not say the source or destination ip address.  I am able to look at the statistics for each of these detected threats, but I am not sure how to correlate the syslog message to a host in the list.  For example,

Apr 16 2015 10:44:05 ASA-1 : %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is 10; Current average rate is 38 per second, max configured rate is 5; Cumulative total count is 23268

I then issue the following:

show threat-detection statistics top rate-1

And I see several hosts, but there doesn't seem to be an easy way to say "syslog @ 10:44:05 was host 8.8.8.8" (or whatever the source would be).  Is there a document that helped you figure this out? Any advice?

We don't want to shun any hosts, but we do want to know who is doing what and when, so we can talk to the internal user and tell them to stop.