Cisco Cisco Firepower Management Center 4000
4-37
FireSIGHT System User Guide
Chapter 4 Using the Context Explorer
Working with Filters in the Context Explorer
In the Filter field, you can input special search parameters such as
*
and
!
essentially as you can in event
searches. You can create exclusionary filters by prefixing filter parameters with the
!
symbol. For more
information on the search constraints typically supported by the FireSIGHT System, see
When multiple filters are active, values for the same data type are treated as OR search criteria: all data
that matches at least one of the values appears. Values for different data types are treated as AND search
criteria: to appear, data must match at least one value for each filtered data type. For example, data that
appears for the filter set of
that matches at least one of the values appears. Values for different data types are treated as AND search
criteria: to appear, data must match at least one value for each filtered data type. For example, data that
appears for the filter set of
Application: 2channel
,
Application: Reddit
, and
User: edickinson
must be associated with the user
edickinson
AND either the application
2channel
OR the application
Reddit
.
After you confirm a data type and value for your filter, a filter widget appears at the top left of the page,
displaying the new filter’s data type and value.
displaying the new filter’s data type and value.
File Disposition
Malware
,
Clean
Cloud-determined disposition of a file for which the
Defense Center performed a malware cloud lookup
Defense Center performed a malware cloud lookup
File Name
Packages.bz2
Name of a file detected in network traffic
File SHA256
any 32-bit string
SHA-256 hash value of a file for which the Defense
Center performed a malware cloud lookup
Center performed a malware cloud lookup
File Type
GZ
,
SWF
,
MOV
File type detected in network traffic
File Type Category
Archive
,
Multimedia
,
Executables
General category of file type detected in network traffic
IP Address
192.168.1.3
,
2001:0db8:85a3::0000/24
IPv4 or IPv6 addresses, address ranges, or address
blocks
blocks
Note that searching for an IP address returns events
where that address was either the source or the
destination for the event
where that address was either the source or the
destination for the event
Impact Level
Impact Level 1
,
Impact Level 2
Estimated impact of an event on your monitored network
Inline Result
dropped
,
would have dropped
Whether traffic was dropped, would have been dropped,
or was not acted upon by the system
or was not acted upon by the system
IOC Category
High Impact Attack
,
Malware
Detected
Category for a triggered Indication of Compromise
(IOC) event
(IOC) event
IOC Event Type
exploit-kit
,
malware-backdoor
Identifier associated with a specific Indication of
Compromise (IOC), referring to the event that triggers it
Compromise (IOC), referring to the event that triggers it
Malware Threat Name
W32.Trojan.a6b1
The name of a malware threat
OS Name
Windows
,
Linux
Name of an operating system
OS Version
XP
,
2.6
Specific version of an operating system
Priority
high
,
low
Estimated urgency of an event
Security Intelligence
Category
Category
Malware
,
Spam
Category of risky traffic, as determined by Security
Intelligence
Intelligence
Security Zone
My Security Zone
,
Security Zone
X
A set of interfaces through which traffic is analyzed and,
in an inline deployment, passes
in an inline deployment, passes
User
wsmith
,
mtwain
Identity of a user logged in to a host on your monitored
network
network
Table 4-2
Filter Data Types (continued)
Type
Example Values
Definition