Cisco Cisco Firepower Management Center 4000

If you perform a backup and then delete reviewed intrusion events, restoring your backup restores the 
deleted intrusion events but does not restore their reviewed status. You view those restored intrusion 
events under Intrusion Events, not under Reviewed Events.

To quickly view connection events associated with one or more intrusion events, select the intrusion 
events using the check boxes in the event viewer, then select 

 from the 

 drop-down list. 

This is most useful when navigating between table views of events. You can also view the intrusions 
associated with particular connections in a similar way.

For more information, see the following sections:

 

Admin/Intrusion Admin

Select 

.

The first page of the default intrusion events workflow appears. For information on specifying a different 
default workflow, see 

. If no events appear, you may need 

to adjust the time range; see 

If you are using a custom workflow that does not include the table view of intrusion events, select any 
of the predefined workflows that ship with the appliance by clicking 

 next to the 

workflow title.

See 

 to learn more about the events that appear in intrusion 

event views. See 

 to learn more about 

how to narrow your view to the intrusion events that are important to your analysis.

Protection

The system examines the packets that traverse your network for malicious activity that could affect the 
availability, integrity, and confidentiality of a host and its data. When the system identifies a possible 
intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and 
contextual information about the source of the attack and its target. For packet-based events, a copy of 
the packet or packets that triggered the event is also recorded.