Cisco Cisco Firepower Management Center 4000
47-33
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Using Workflows
Using Compound Constraints
License:
Any
Compound constraints are based on all non-count values for a specific event. When you select a row with
multiple non-count values, you set a compound constraint that only retrieves events matching all the
non-count values in that row on that page. For example, if you select a row that has a source IP address
of
multiple non-count values, you set a compound constraint that only retrieves events matching all the
non-count values in that row on that page. For example, if you select a row that has a source IP address
of
10.10.31.17
and a destination IP address of
10.10.31.15
and a row that has a source IP address of
172.10.10.17
and a destination IP address of
172.10.10.15
, you retrieve all of the following:
•
Events that have a source IP address of 10.10.31.17 AND a destination IP address of 10.10.31.15
OR
•
Events that have a source IP address of 172.10.31.17 AND a destination IP address of 172.10.31.15
When you combine compound constraints with simple constraints, the simple constraints are distributed
across each set of compound constraints. If, for example, you added a simple constraint for a protocol
value of
across each set of compound constraints. If, for example, you added a simple constraint for a protocol
value of
tcp
to the compound constraints listed above, you retrieve all of the following:
•
Events that have a source IP address of 10.10.31.17 AND a destination IP address of 10.10.31.15
AND a protocol of tcp
AND a protocol of tcp
OR
•
Events that have a source IP address of 172.10.31.17 AND a destination IP address of 172.10.31.15
AND a protocol of tcp
AND a protocol of tcp
You cannot perform a search or save a search on a compound constraint. You also cannot retain
compound constraints when you use the event view links or click
compound constraints when you use the event view links or click
(switch workflow)
to switch to another
workflow. If you bookmark an event view with compound constraints applied, the constraints are not
saved with the bookmark.
saved with the bookmark.
remove a constraint
the name of the constraint in the Search Constraints box.
edit constraints using the
search page
search page
Edit Search
in the Search Constraints box.
Use this feature when you want to constrain against multiple values in a
single column. For example, if you want to view the events related to two
IP addresses, click
single column. For example, if you want to view the events related to two
IP addresses, click
Edit Search
, then modify the appropriate IP address
field on the Search page to include both addresses, and then click
Search
.
save constraints as a saved
search
search
Save Search
in the Search Constraints box and give the query a name.
Note that you cannot save queries containing compound constraints. For
more information on compound constraints, see
more information on compound constraints, see
use the same constraints
with another event view
with another event view
Jump to
and select the event view. See
for more information.
Note that you do not retain compound constraints when you switch to
another workflow. For more information on compound constraints, see
another workflow. For more information on compound constraints, see
toggle the display of
constraints
constraints
the expand arrow (
). This is useful when the list of constraints is large
and takes up most of the screen.
Table 47-27
Search Constraint Functions (continued)
To...
Click...