Cisco Cisco Firepower Management Center 4000
18-17
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using Drill-Down and Table View Pages
The number of intrusion events that appear on the event views may be quite large, depending on:
•
the time range you select
•
the amount of traffic on your network
•
the intrusion policy you apply
To make it easier to analyze intrusion events, you can constrain the event pages. The constraining
processes are slightly different for drill-down views and the table view of intrusion events.
processes are slightly different for drill-down views and the table view of intrusion events.
Tip
The time range pauses when you click one of the links at the bottom of the intrusion event workflow
page to navigate to another page, and resumes when you click to take any other action on the subsequent
page, including exiting the workflow; this reduces the likelihood of displaying the same events as you
navigate to other pages in the workflow to see more events. For more information, see
page to navigate to another page, and resumes when you click to take any other action on the subsequent
page, including exiting the workflow; this reduces the likelihood of displaying the same events as you
navigate to other pages in the workflow to see more events. For more information, see
and
The following table describes how to use the drill-down pages.
mark events reviewed to remove
them from intrusion event pages, but
not the event database
them from intrusion event pages, but
not the event database
use one of the following methods:
•
To review selected intrusion events, select the check boxes next to events you want
to review, then click
to review, then click
Review
.
•
To review all the intrusion events in the current constrained view, click
Review All
.
For more information, see
download a local copy of the packet
(a packet capture file in libpcap
format) that triggered each selected
event
(a packet capture file in libpcap
format) that triggered each selected
event
use one of the following methods:
•
To download the packets that triggered the selected intrusion events, select the
check boxes next to events triggered by the packets you want to download, then
click
check boxes next to events triggered by the packets you want to download, then
click
Download Packets
.
•
To download all packets that triggered the intrusion events in the current
constrained view, click
constrained view, click
Download All Packets
.
Captured packets are saved in libpcap format. This format is used by several popular
protocol analyzers.
protocol analyzers.
navigate to other event views to view
associated events
associated events
find more information in
temporarily use a different workflow click
(switch workflow)
. For more information, see
.
bookmark the current page so that
you can quickly return to it
you can quickly return to it
click
Bookmark This Page
. For more information, see
view the Intrusion Events section of
the Summary Dashboard
the Summary Dashboard
click
Dashboards
. For more information, see
.
navigate to the bookmark
management page
management page
click
View Bookmarks
. For more information, see
.
generate a report based on the data in
the current view
the current view
click
Report Designer
. For more information, see
.
Table 18-2
Intrusion Event Common Features (continued)
To...
You can...