Cisco Cisco Firepower Management Center 4000

For detailed information on search syntax, including using objects in searches, see 

.

The following table notes search information specific to particular discovery event fields. For more 
information on discovery event fields, see 

Admin/Any Security Analyst

Select 

.

The Search page appears.

From the 

 drop-down list, select 

.

The page reloads with the appropriate constraints.

Optionally, if you want to save the search, enter a name for the search in the 

 field.

If you do not enter a name, one is created automatically when you save the search.

Enter your search criteria in the appropriate fields, as described in 

and 

If you enter multiple criteria, the search returns only the records that match all the criteria. Click the add 
icon (

) that appears next to a search field to use an object as a search criterion. 

If you want to save the search so that other users can access it, clear the 

 check box. 

Otherwise, leave the check box selected to save the search as private.

If you want to use the search as a data restriction for a custom user role, you must save it as a private 
search.

You have the following options:

Click 

 to start the search.

Your search results appear in the default discovery events workflow, constrained by the current time 
range. To use a different workflow, including a custom workflow, click 

. For 

information on specifying a different default workflow, see 

. 

Event

The range of event names is listed in 

 and 

MAC Vendor

To search for virtual MAC vendors, that is, for events that involve virtual machines, type 

virtual_mac_vendor

.

To search for a vendor whose name includes a comma, enclose the entire search term in quotes. 
Otherwise, the Defense Center treats the term as two searches and returns events that match each 
search term. 

Port

Note that you cannot:

enter a port/protocol combination as you can when searching for other kinds of events

use spaces when specifying port numbers or ranges.