Cisco Cisco Firepower Management Center 4000
27-35
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Violations
The first page of the default white list violations workflow appears. To use a different workflow,
including a custom workflow, click
including a custom workflow, click
(switch workflow)
by the workflow title. For information on specifying
a different default workflow, see
.
Understanding the White List Violations Table
License:
FireSIGHT
You can use the correlation policy feature to build correlation policies that let the system respond in real
time to threats on your network. Correlation policies describe the type of activity that constitutes a policy
violation, which include compliance white list violations. For more information on correlation policies,
see
time to threats on your network. Correlation policies describe the type of activity that constitutes a policy
violation, which include compliance white list violations. For more information on correlation policies,
see
.
When a compliance white list is violated, the system records the violation. Note that you can not set
event time constraints in the table view because the table view displays only the current host violations
on your network. The fields in the white list violations table are described in the following table.
event time constraints in the table view because the table view displays only the current host violations
on your network. The fields in the white list violations table are described in the following table.
Table 27-7
Compliance White List Violation Fields
Field
Description
Time
The date and time that the white list violation was detected.
IP Address
The relevant IP address of the non-compliant host.
Type
The type of white list violation, that is, whether the violation occurred as a result of
a non-compliant:
a non-compliant:
•
operating system (
os
)
•
application protocol (
server
)
•
client (
client
)
•
protocol (
protocol
)
•
web application (
web
)
Information
Any available vendor, product, or version information associated with the white list
violation.
violation.
For example, if you have a white list that allows only Microsoft Windows hosts, the
Information field describes the operating systems of the hosts that are not running
Microsoft Windows.
Information field describes the operating systems of the hosts that are not running
Microsoft Windows.
For protocols that violate a white list, the Information field also indicates whether
the violation is due to a network or transport protocol.
the violation is due to a network or transport protocol.
Port
The port, if any, associated with the event that triggered an application protocol
white list violation (a violation that occurred as a result of a non-compliant
application protocol). For other types of white list violations, this field is blank.
white list violation (a violation that occurred as a result of a non-compliant
application protocol). For other types of white list violations, this field is blank.
Protocol
The protocol, if any, associated with the event that triggered an application protocol
white list violation (a violation that occurred as a result of a non-compliant
application protocol). For other types of white list violations, this field is blank.
white list violation (a violation that occurred as a result of a non-compliant
application protocol). For other types of white list violations, this field is blank.
White List
The name of the white list that was violated.
Count
The number of events that match the information that appears in each row. Note that
the Count field appears only after you apply a constraint that creates two or more
identical rows.
the Count field appears only after you apply a constraint that creates two or more
identical rows.