Cisco Cisco FirePOWER Appliance 7020
18-15
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using Drill-Down and Table View Pages
When you “drill down” to find more information for one or more destination ports, you automatically
select those events and the next page in the workflow appears. In this way, drill-down tables help you
reduce the number of events you are analyzing at one time.
select those events and the next page in the workflow appears. In this way, drill-down tables help you
reduce the number of events you are analyzing at one time.
The initial table view of intrusion events lists each intrusion event in its own row. The columns in the
table list information such as the time, the source IP address and port, the destination IP address and port,
the event priority, the event message, and more.
table list information such as the time, the source IP address and port, the destination IP address and port,
the event priority, the event message, and more.
When you select events on a table view, instead of selecting events and displaying the next page in the
workflow, you add to what are called constraints. Constraints are limits that you impose on the types of
events that you want to analyze.
workflow, you add to what are called constraints. Constraints are limits that you impose on the types of
events that you want to analyze.
For example, if you click the close column icon (
) in any column and clear
Time
from the drop-down
list, you can remove Time as one of the columns. To narrow the list of events in your analysis, you can
click the link for a value in one of the rows in the table view. For example, to limit your analysis to the
events generated from one of the source IP addresses (presumably, a potential attacker), click the IP
address in the
click the link for a value in one of the rows in the table view. For example, to limit your analysis to the
events generated from one of the source IP addresses (presumably, a potential attacker), click the IP
address in the
Source IP Address
column.
If you select one or more rows in a table view and then click
View
, the packet view appears. A packet
view provides information about the packet that triggered the rule or the preprocessor that generated the
event. Each section of the packet view contains information about a specific layer in the packet. You can
expand collapsed sections to see more information.
event. Each section of the packet view contains information about a specific layer in the packet. You can
expand collapsed sections to see more information.
Note
Because each portscan event is triggered by multiple packets, portscan events use a special version of
the packet view. See
the packet view. See
for more information.
If the predefined workflows do not meet your specific needs, you can create custom workflows that
display only the information you are interested in. Custom intrusion event workflows can include
drill-down pages, a table view of events, or both; the system automatically includes a packet view as the
last page. You can easily switch between the predefined workflows and your own custom workflows
depending on how you want to investigate events.
display only the information you are interested in. Custom intrusion event workflows can include
drill-down pages, a table view of events, or both; the system automatically includes a packet view as the
last page. You can easily switch between the predefined workflows and your own custom workflows
depending on how you want to investigate events.
Tip
explains how to use workflows and the features
common to all workflow pages. This chapter also explains how to create and use custom intrusion event
workflows.
workflows.
For more information, see:
•
, which explains how to use drill-down pages
and the table view of events, which share many common features.
•
, which explains how to use the features in the packet view.
•
explains how to search the event database for specific
intrusion events.
Using Drill-Down and Table View Pages
License:
Protection
The workflows that you can use to investigate intrusion events take advantage of three different types of
pages:
pages:
•
drill-down pages