Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

668

Working with Intrusion Events

Using Drill-Down and Table View Pages

Chapter 17

The 

 table describes how to use 

the table view.

At any point in the process, you can save the constraints as a set of search 

criteria. For example, if you find that over the course of a few days your network is 

being probed by an attacker from a single IP address, you can save your 

constraints during your investigation and then use them again later. You cannot, 

however, save compound constraints as a set of search criteria. For more 

information, see 

If no intrusion events appear on the event views, adjusting the selected 

time range might return results. If you selected an older time range, events in that 

time range might have been deleted. Adjusting the rule thresholding configuration 

might generate events. 

Constraining Events on the Table View of Events 

constrain the view to 

events with a single 

attribute

click the attribute. 
For example, to constrain the view to events with a destination of port 80, click 

80/tcp in the DST Port/ICMP Code column.

remove a column 

from the table

click the close icon (

) in the column heading that you want to hide. In the 

pop-up window that appears, click Apply.

 To hide or show other columns, select or clear the appropriate check 

boxes before you click Apply. To add a disabled column back to the view, click 
the expand arrow (

) to expand the search constraints, then click the column 

name under Disabled Columns.

view the packets 

associated with one 

or more events

either:
• click the down arrow icon (

) next to the event whose packets you want to 

view.

• select one or more events whose packets you want to view, and, at the 

bottom of the page, click View.

• at the bottom of the page, click View All to view the packets for all events 

that match the current constraints.