The impact flag is used to indicate where the alert was detected (in relation to the network) and what the impact of it was (in relation to the network/server/device). The impact flag is an 8-bit field in the impact event alert message. The meaning of each bit value is given in the following table:
| Bit pattern | Hex | Description |
| XXXXXXX1 | 0x01 | Source or destination host is in a network monitored by the system. |
| XXXXXX1X | 0x02 | Source or destination host exists in the network map. |
| XXXXX1XX | 0x04 | Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol. |
| XXXX1XXX | 0x08 | There is a vulnerability mapped to the operating system of the source or destination host in the event. |
| XXX1XXXX | 0x10 | There is a vulnerability mapped to the server detected in the event. |
| XX1XXXXX | 0x20 | The event causes the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). It corresponds to the blocked status in the Firepower System web interface. |
| X1XXXXXX | 0x40 | The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, Trojan, or other pieces of malicious software. |
| 1XXXXXXX | 0x80 | There is a vulnerability mapped to the client detected in the event (version 5.0+ only). |
Table of Firepower impact flag bit values
Each bit value in the flag works independently, as a single event may match several of the alert criteria. The X against the other bits underlines the idea that they can have any value (0 or 1). A score may have one or more bit flags associated with it, so the end value of the flag can be anything from 0 to 255, although certain combinations are unlikely.