Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
667
Working with Intrusion Events
Using Drill-Down and Table View Pages
Chapter 17
To make it easier to analyze intrusion events, you can constrain the event pages.
The constraining processes are slightly different for drill-down views and the table
view of intrusion events.
TIP!
The time range pauses when you click one of the links at the bottom of the
intrusion event workflow page to navigate to another page, and resumes when
you click to take any other action on the subsequent page, including exiting the
workflow; this reduces the likelihood of displaying the same events as you
navigate to other pages in the workflow to see more events. For more
information, see
The
Constraining Events on Drill-Down Pages
table describes how to use the
drill-down pages.
Constraining Events on Drill-Down Pages
T
O
...
Y
OU
CAN
...
drill down to the next
workflow page
constraining on a
specific value
click the value.
For example, on the Destination Port workflow, to constrain the events to
For example, on the Destination Port workflow, to constrain the events to
those with a destination of port 80, click 80/tcp in the DST Port/ICMP Code
column. The next page of the workflow, Events, appears and contains only
port 80/tcp events.
drill down to the next
workflow page
constraining on
selected events
select the check boxes next to the events you want to view on the next
workflow page, then click View.
For example, on the Destination Port workflow, to constrain the events to
For example, on the Destination Port workflow, to constrain the events to
those with destination ports 20/tcp and 21/tcp, select the check boxes next to
the rows for those ports and click View. The next page of the workflow,
Events, appears and contains only port 20/tcp and 21/tcp events.
IMPORTANT!
If you constrain on multiple rows and the table has more than one
column (not including a Count column), you build what is called a compound
constraint. Compound constraints ensure that you do not include more events
in your constraint than you mean to. For example, if you use the Event and
Destination workflow, each row that you select on the first drill-down page
creates a compound constraint. If you pick event 1:100 with a destination IP
address of 10.10.10.100 and you also pick event 1:200 with a destination IP
address of 192.168.10.100, the compound constraint ensures that you do not
also select events with 1:100 as the event type and 192.168.10.100 as the
destination IP address or events with 1:200 as the event type and
10.10.10.100 as the destination IP address.
drill down to the next
workflow page
keeping the current
constraints
click View All.