Cisco Cisco Firepower Management Center 4000

Admin/Intrusion Admin

Select 

.

The first page of the default reviewed intrusion events workflow appears. For information on specifying 
a different default workflow, see 

. If no events appear, you 

may need to adjust the time range; see 

.

If you are using a custom workflow that does not include the table view of intrusion events, select any 
of the predefined workflows that ship with the appliance by clicking 

 next to the 

workflow title.

See 

 to learn more about the events that appear in reviewed 

intrusion event views. See 

 to learn 

more about how to narrow your view to the intrusion events that are important to your analysis.

Admin/Intrusion Admin

On a page that displays reviewed events, you have two options:

To remove individual intrusion events from the list of reviewed events, select the check boxes next 
to the events and click 

.

To remove all intrusion events from the list of reviewed events, click 

.

A success message appears and the list of reviewed events is updated.

Protection

The preprocessor, decoder, and intrusion rules that are enabled in the current intrusion policy generate 
intrusion events whenever the traffic that you monitor violates the policy.

The FireSIGHT System provides a set of predefined workflows, populated with event data, that you can 
use to view and analyze intrusion events. Each of these workflows steps you through a series of pages 
to help you pinpoint the intrusion events that you want to evaluate.

The predefined intrusion event workflows contain three different types of pages, or event views:

one or more drill-down pages

the table view of intrusion events

a packet view

Drill-down pages generally include two or more columns in a table (and, for some drill-down views, 
more than one table) that allow you to view one specific type of information.