Cisco Cisco Firepower Management Center 4000

You can view a table of user activity, and then manipulate the event view depending on the information 
you are looking for.

The page you see when you access user activity differs depending on the workflow you use. You can use 
the predefined workflow, which includes the table view of user activity and terminates in a user details 
page, which contains user details for every user that meets your constraints. You can also create a custom 
workflow that displays only the information that matches your specific needs. For information on 
creating a custom workflow, see 

.

For more information about the contents of the columns in the table, see 

.The following table, see describes some of the specific actions you can perform on an 

user activity workflow page. You can also perform the actions in the 

 

table.

Admin/Any Security Analyst

Select 

.

The first page of the default user activity workflow appears. To use a different workflow, including a 
custom workflow, click 

. For information on specifying a different default workflow, see 

. If no events appear, you may need to adjust the time range; 

see 

If you are using a custom workflow that does not include the table view of user activity, click 

, then select 

.

FireSIGHT

When the system detects user activity, it is logged to the database. Descriptions of the fields in the users 
table follow.

The time that the system detected the user activity.

The user activity type. For more information, see 

.

The user associated with the activity. At a minimum, this field contains a username and the protocol 
used to detect the user. If there is LDAP metadata on the user, this field may also contain the first 
name and last name of the user.

The protocol used to detect the user. For example, for users added to the database when the system 
detects a POP3 login, the user type is 

pop3

.