Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

1650

Using the Sourcefire 3D System as a Compliance Tool

Working with White List Violations

Chapter 37

Working with White List Violations

: FireSIGHT

The system keeps track of the ways in which hosts on your network violate the 

compliance white lists in active correlation policies. You can search and view 

these records. 
For more information, see the following sections:

Viewing White List Violations

: FireSIGHT

You can use the Defense Center to view a table of white list violations. Then, you 

can manipulate the event view depending on the information you are looking for. 

The page you see when you access white list violations differs depending on the 

workflow you use. There are two predefined workflows:

The Host Violation Count workflow provides a series of pages that list all the 

hosts that violate at least one white list. The first page sorts the hosts 

based on the number of violations per host, with the hosts with the 

greatest number of violations at the top of the list. If a host violates more 

than one white list, there is a separate row for each violated white list. The 

workflow also contains a table view of white list violations that lists all 

violations with the most recently detected violation at the top of the list. 

Each row in the table contains a single detected violation. 

The White List Violations workflow includes a table view of white list 
violations that lists all violations with the most recently detected violation at 

the top of the list. Each row in the table contains a single detected violation.

Both predefined workflows terminate in a host view, which contains a host profile 

for every host that meets your constraints. You can also create a custom 

workflow that displays only the information that matches your specific needs. For 

more information, see 

 on page 1916.