Cisco Cisco Firepower Management Center 4000
47-32
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Using Workflows
...then the constrained page includes only the events with that IP address:
Tip
The procedure for constraining connection events based on Monitor rule criteria is slightly different and
you may need to take some extra steps. Additionally, you cannot constrain connection events by
associated file or intrusion information. For more information, see
you may need to take some extra steps. Additionally, you cannot constrain connection events by
associated file or intrusion information. For more information, see
You can also use searches to constrain the information in a workflow. The search criteria you enter on
the search page are listed as the constraints at the top of the page, with the resulting events constrained
accordingly. On the Defense Center, the current constraints are also applied when navigating to other
workflows, unless they are compound constraints (see
the search page are listed as the constraints at the top of the page, with the resulting events constrained
accordingly. On the Defense Center, the current constraints are also applied when navigating to other
workflows, unless they are compound constraints (see
When searching, you must pay careful attention to whether your search constraints apply to the table you
are searching. For example, client data is not available in connection summaries. If you search for
connection events based on the detected client in the connection and then view the results in a connection
summary event view, the Defense Center displays connection data as if you had not constrained it at all.
Invalid constraints are labeled as not applicable (N/A) and are marked with a strikethrough.
are searching. For example, client data is not available in connection summaries. If you search for
connection events based on the detected client in the connection and then view the results in a connection
summary event view, the Defense Center displays connection data as if you had not constrained it at all.
Invalid constraints are labeled as not applicable (N/A) and are marked with a strikethrough.
The following table describes each of the actions you can perform when applying a constraint.
Table 47-27
Search Constraint Functions
To...
Click...
constrain the view to
events that match a single
value
events that match a single
value
the value in the table.
For example, if you are viewing a list of logged connections and want to
constrain the list to only those you allowed using access control, click
constrain the list to only those you allowed using access control, click
Allow
in the
Action
column. As another example, if you are viewing
intrusion events and want to constrain the list to only events where the
destination port is 80, click
destination port is 80, click
80 (http)/tcp
in the
DST Port/ICMP Code
column.
constrain the view to
events that match multiple
values
events that match multiple
values
the check box for events with those values and click
View
.
Note that a compound constraint is added if the row contains multiple
non-count values. For more information on compound constraints, see
non-count values. For more information on compound constraints, see