Cisco Cisco Firepower Management Center 2000

The data used to generate the host history is stored in the user history database, which by default stores 
10 million user login events. If you do not see any data in the host history for a particular user, either 
that user is inactive, or you may need to increase the database limit. For more information, see 

Admin/Any Security Analyst

You have two options:

In any event view that lists users, click the user icon (

) that appears next to a user identity.

In any users workflow, click the Users terminating page.

User details appear.

FireSIGHT

You can search for specific users. You may want to create searches customized for your network 
environment, then save them to reuse later. 

The system displays examples of valid syntax next to each search field. When entering search criteria, 
keep the following points in mind:

All fields accept negation (

!

).

All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the 
records that match all the criteria.

Many fields accept one or more asterisks (

*

) as wild cards.

For some fields, you can specify 

n/a

 or 

blank

 in the field to identify events where information is not 

available for that field; use 

!n/a

 or 

!blank

 to identify the events where that field is populated.

Most fields are case-insensitive.

IP addresses may be specified using CIDR notation. For information on entering IPv4 and IPv6 
addresses in the FireSIGHT System, see 

.

Click the add object icon (

) that appears next to a search field to use an object as a search 

criterion. 

For detailed information on search syntax, including using objects in searches, see 

.

For user type, valid search criteria are 

ldap

, 

pop3

, 

imap

, and 

aim

; because users are not added to the 

database based on SMTP logins, entering 

smtp

 will not return any results.

Admin/Any Security Analyst

Select 

.