Cisco Cisco Firepower Management Center 4000
47-24
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Using Workflows
Changing the Time Window
License:
Any
Regardless of the default time window, you can manually change the time window during your event
analysis.
analysis.
Note
Manual time window settings are valid for only the current session. When you log out and then log back
in, time windows are reset to the default.
in, time windows are reset to the default.
Depending on the number of time windows you configured, changing the time window for one workflow
may affect other workflows on the appliance. For example, if you have a single, global time window,
changing the time window for one workflow changes it for all other workflows on the appliance. On the
other hand, if you are using multiple time windows, changing the audit log or health event workflow time
windows has no effect on any other time window, while changing the time window for other kinds of
events affects all events that can be constrained by time (with the exception of audit events and health
events).
may affect other workflows on the appliance. For example, if you have a single, global time window,
changing the time window for one workflow changes it for all other workflows on the appliance. On the
other hand, if you are using multiple time windows, changing the audit log or health event workflow time
windows has no effect on any other time window, while changing the time window for other kinds of
events affects all events that can be constrained by time (with the exception of audit events and health
events).
Note that because not all workflows can be constrained by time, time window settings have no effect on
workflows based on hosts, host attributes, applications, application details, vulnerabilities, users, or
white list violations.
workflows based on hosts, host attributes, applications, application details, vulnerabilities, users, or
white list violations.
Use the Time Window tab on the Date/Time window to manually configure a time window. Depending
on the number of time windows you configured in your default time window settings, the tab’s title is
one of the following:
on the number of time windows you configured in your default time window settings, the tab’s title is
one of the following:
•
Events Time Window
, if you configured multiple time windows and are setting the time window for a
workflow other than the audit log or health events workflow
•
Health Monitoring Time Window
, if you configured multiple time windows and are setting the time
window for the health events workflow
•
Audit Log Time Window
, if you configured multiple time windows and are setting the time window for
the audit log
•
Global Time Window
, if you configured a single time window
The first decision you must make when configuring a time window is the type of time window you want
to use:
to use:
•
A static time window displays all the events generated from a specific start time to a specific end
time.
time.
•
An expanding time window displays all the events generated from a specific start time to the present;
as time moves forward, the time window expands and new events are added to the event view.
as time moves forward, the time window expands and new events are added to the event view.
•
A sliding time window displays all the events generated from a specific start time (for example, one
week ago) to the present; as time moves forward, the time window “slides” so that you see only the
events for the range you configured (in this example, for the last week).
week ago) to the present; as time moves forward, the time window “slides” so that you see only the
events for the range you configured (in this example, for the last week).
Depending on what type you select, the Date/Time window changes to give you different configuration
options. The following graphic shows the Date/Time window, specifying that you want to use an
expanding time window. With expanding time windows, the End Time calendar is grayed out and
specifies that the end time is “Now.”
options. The following graphic shows the Date/Time window, specifying that you want to use an
expanding time window. With expanding time windows, the End Time calendar is grayed out and
specifies that the end time is “Now.”