Cisco Cisco Firepower Management Center 2000
18-13
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Events
The first page of the default intrusion events workflow appears.
Viewing associated data is most useful when navigating between table views of events. See
to learn more about how to narrow your
view to the intrusion events that are important to your analysis.
Step 2
Select the intrusion events using the check boxes in the event viewer, then select
Connections
from the
Jump to
drop-down list.
You can view the intrusion events associated with particular connections in a similar way. For more
information, see
information, see
When you view associated events, the Defense Center uses your default connection data workflow. For
more information on connection data, see
more information on connection data, see
.
Tip
If you are using a custom workflow that does not include the table view of intrusion events, select any
of the predefined workflows that ship with the appliance by clicking
of the predefined workflows that ship with the appliance by clicking
(switch workflow)
next to the
workflow title.
Reviewing Intrusion Events
License:
Protection
If you have examined an intrusion event and are confident that the event does not represent a threat to
your network security (perhaps because you know that none of the hosts on your network are vulnerable
to the detected exploit), you can mark the event reviewed. Your name appears as the reviewer, and the
reviewed event is no longer listed in the default intrusion events view. Events that you mark reviewed
remain in the event database, but no longer appear in intrusion event views.
your network security (perhaps because you know that none of the hosts on your network are vulnerable
to the detected exploit), you can mark the event reviewed. Your name appears as the reviewer, and the
reviewed event is no longer listed in the default intrusion events view. Events that you mark reviewed
remain in the event database, but no longer appear in intrusion event views.
To mark an intrusion event reviewed:
Access:
Admin/Intrusion Admin
Step 1
On a page that displays intrusion events, you have two options:
•
To mark one or more intrusion events from the list of events, select the check boxes next to the events
and click
and click
Review
.
•
To mark all intrusion events from the list of events, click
Review All
.
A success message appears and the list of reviewed events is updated.
See
to learn more about the events that appear in intrusion
event views. See
to learn more about
how to narrow your view to the intrusion events that are important to your analysis.
Note
Although they do not appear on intrusion event-related workflow pages, reviewed events are
included in the event summary statistics.
included in the event summary statistics.