Cisco Cisco Firepower Management Center 4000
38-37
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Servers
Current User
The user identity (username) of the currently logged in user on the host.
Note that when a non-authoritative user logs into a host, that login is recorded in the user and host
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
history. If no authoritative user is associated with the host, a non-authoritative user can be the current
user for the host. However, after an authoritative user logs into the host, only a login by another
authoritative user changes the current user. In addition, when a non-authoritative user is the current
user on a host, that user still cannot be used for user control.
Count
The number of events that match the information that appears in each row. Note that the Count field
appears only after you apply a constraint that creates two or more identical rows.
appears only after you apply a constraint that creates two or more identical rows.
Searching for Servers
License:
FireSIGHT
You can search for specific servers that are running on monitored hosts by using one of the predefined
searches or by using your own search criteria. The predefined searches serve as examples and can
provide quick access to important information about your network.
searches or by using your own search criteria. The predefined searches serve as examples and can
provide quick access to important information about your network.
You may want to modify specific fields within the default searches to customize them for your network
environment, then save them to reuse later. The fields you can use to retrieve data are described in
environment, then save them to reuse later. The fields you can use to retrieve data are described in
.
When searching for servers, you should keep in mind that although you can configure the network
discovery policy to add applications, including servers, to the network map based on data exported by
NetFlow-enabled devices, the available information about these servers is limited. For more information,
see
discovery policy to add applications, including servers, to the network map based on data exported by
NetFlow-enabled devices, the available information about these servers is limited. For more information,
see
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
For some fields, you can specify
n/a
or
blank
in the field to identify events where information is not
available for that field; use
!n/a
or
!blank
to identify the events where that field is populated.
•
Most fields are case-insensitive.
•
IP addresses may be specified using CIDR notation. For information on entering IPv4 and IPv6
addresses in the FireSIGHT System, see
addresses in the FireSIGHT System, see
.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For detailed information on search syntax, including using objects in searches, see
.
To search for servers:
Access:
Admin/Any Security Analyst