The FireSIGHT System is delivered with a set of predefined workflows (described in the sections that
follow) that you can use to analyze the events and other data it collects.

Custom workflows are workflows that you create to meet the unique needs of your organization. When
you create a custom workflow, you choose the kind of event (or database table) on which the workflow
is based. On the Defense Center, you can base a custom workflow on a custom table. You can also choose
the pages a custom workflow contains; custom workflows can contain drill-down, table view, and host
or packet view pages.

The Defense Center is delivered with several saved custom workflows, which are based on the saved
custom tables that are also delivered with the Defense Center. The differences between workflows based
on predefined and custom tables is described in the next section,

Comparing Workflows for Predefined

and Custom Tables

Comparing Workflows for Predefined and Custom Tables

License:

FireSIGHT

You can use the custom tables feature to create tables that use the data from two or more types of events.
This is useful because you can, for example, create tables and workflows that correlate intrusion event
data with discovery data to allow simple searches for events that affect critical systems. See

Using

Custom Tables, page 46-1

for information about creating custom tables.

Each custom table has, by default, a workflow that you can use to view the events associated with the
table. The features in the workflow differ depending on which type of table you use. For example, custom
table workflows based on the intrusion event table always end with the packet view. However, custom
table workflows based on discovery events end with the host view.

Unlike workflows based on the predefined event tables, workflows based on custom tables do not have
links to other types of workflows.