Cisco Cisco Firepower Management Center 2000
18-6
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Event Graphs
Viewing Intrusion Event Graphs
License:
Protection
The FireSIGHT System provides graphs that show you intrusion event trends over time. You can
generate intrusion event graphs over time ranging from the last hour to the last month, for the following:
generate intrusion event graphs over time ranging from the last hour to the last month, for the following:
•
one or all managed devices
•
top 10 destination ports
•
top 10 source IP addresses
•
top 10 event messages
To generate an event graph:
Access:
Admin/Intrusion Admin
Step 1
Select
Overview > Summary > Intrusion Event Graphs
.
The Intrusion Event Graphs page appears. Three selection boxes at the top of the page control which
graph is generated.
graph is generated.
Step 2
Under
Select Device
, select
all
to include all devices, or select the specific device you want to include in
the graph.
Step 3
Under
Select Graph(s)
, select the type of graph you want to generate.
Step 4
Under
Select Time Range
, select the time range for the graph.
Step 5
Click
Graph
.
The graph is generated.
Viewing Intrusion Events
License:
Protection
When the system recognizes a packet that is potentially malicious, it generates an intrusion event and
adds the event to the database.
adds the event to the database.
The initial intrusion events view differs depending on the workflow you use to access the page. You can
use one of the predefined workflows, which includes one or more drill-down pages, a table view of
intrusion events, and a terminating packet view, or you can create your own workflow. You can also view
workflows based on custom tables, which may include intrusion events. Note that an event view may be
slow to display if it contains a large number of IP addresses and you have enabled the
use one of the predefined workflows, which includes one or more drill-down pages, a table view of
intrusion events, and a terminating packet view, or you can create your own workflow. You can also view
workflows based on custom tables, which may include intrusion events. Note that an event view may be
slow to display if it contains a large number of IP addresses and you have enabled the
Resolve IP Addresses
event view setting. See
for more information.
You view an intrusion event to determine whether there is a threat to your network security. If you are
confident that an intrusion event is not malicious, you can mark the event reviewed. Your name appears
as the reviewer, and the reviewed event is no longer listed in the default intrusion events view. You can
return a reviewed event to the default intrusion events view by marking the event unreviewed.
confident that an intrusion event is not malicious, you can mark the event reviewed. Your name appears
as the reviewer, and the reviewed event is no longer listed in the default intrusion events view. You can
return a reviewed event to the default intrusion events view by marking the event unreviewed.
You can view intrusion events that you have marked reviewed. Reviewed events are stored in the event
database and are included in the event summary statistics, but no longer appear in the default event
pages. See
database and are included in the event summary statistics, but no longer appear in the default event
pages. See
for more information.