Cisco Cisco Firepower Management Center 4000

FireSIGHT

feature dependent

Any except DC500

While monitoring your network, the geolocation feature provides you with additional data about the 
geographical sources of routable IP addresses (country, continent, and so on). You can use this data to 
determine if, for example, connections are originating from or terminating in countries unconnected with 
your organization. 

Geolocation information is available for intrusion events, connection events, file events, malware events, 
host profiles, and user profiles. Geolocation information is also available in the Context Explorer and 
the dashboard. 

Country flags and codes

In some workflow pages, such as those for connection events, intrusion events, file events, and 
malware events, routable IP addresses include information about the associated country. When 
this geolocation information is available, the country’s flag and ISO code appear in the 
appropriate column (such as Source Country). Hover your pointer over the flag to view the 
country name. When viewing individual (rather than aggregated) data points, you can click the 
flag icon to view further geolocation details. See 

 for more 

information.

Note that the DC500 Defense Center does not support geolocation data.

Search Constraints

Lists the values, if present, constraining the data view. Click the expand arrow (

) to display 

the active constraints and disabled columns list or the collapse arrow (

) to hide the list from 

view. By default, this list is collapsed, which is useful when the list of constraints is long and 
takes up too much of the screen.

To remove a single constraint, click it. To remove a compound constraint, click 

.

Click 

 or 

 to open a search page pre-populated with the current single 

constraints. See 

 for more information. 

Compound constraints are constraints created based on rows with multiple non-count 
values. You cannot perform a search or save a search on a compound constraint.

Time Range

The date range located in the upper right corner of the page sets a time range for events to 
include in the workflow. See 

 for more information.

Note that events that were generated outside the appliance's configured time window (whether 
global or event-specific) may appear in an event view if you constrain the event view by time. 
This may occur even if you configured a sliding time window for the appliance.

Workflow Page Links

Workflow page links appear in the upper left corner of predefined workflow table view and 
drill-down pages, above events and below the workflow name. Click a workflow page link to 
display that page using any active constraints.

Workflow Name

The name of the workflow appears at the top of the page. Beside it, when applicable, is the 

 link, which you can use to select other workflows of the same type.