Cisco Cisco Firepower Management Center 4000

The IP address associated with the host involved in the event.

The last user to log into the host involved in the event before the event was generated. If only 
non-authoritative users log in after an authoritative user, the authoritative user remains the current 
user for the host unless another authoritative user logs in.

The MAC address of the NIC used by the network traffic that triggered the discovery event. This 
MAC address can be either the actual MAC address of the host involved in the event, or the MAC 
address of a network device that the traffic passed through.

The MAC hardware vendor of the NIC used by the network traffic that triggered the discovery event.

The port used by the traffic that triggered the event, if applicable.

The text description of the event.

The name of the device that generated the event. For new host and new server events based on 
NetFlow data, this is the device that processed the NetFlow data.

FireSIGHT

You can search for specific discovery events. You may want to create searches customized for your 
network environment, then save them to reuse later. 

The system displays examples of valid syntax next to each search field. When entering search criteria, 
keep the following points in mind:

All fields accept negation (

!

).

All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the 
records that match all the criteria.

Many fields accept one or more asterisks (

*

) as wild cards.

For some fields, you can specify 

n/a

 or 

blank

 in the field to identify events where information is not 

available for that field; use 

!n/a

 or 

!blank

 to identify the events where that field is populated.

Most fields are case-insensitive.

IP addresses may be specified using CIDR notation.

Click the add object icon (

) that appears next to a search field to use an object as a search 

criterion.