Cisco Cisco Firepower Management Center 4000
18-18
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using Drill-Down and Table View Pages
The following table describes how to use the table view.
Table 18-3
Constraining Events on Drill-Down Pages
To...
You can...
drill down to the next
workflow page
constraining on a specific
value
workflow page
constraining on a specific
value
click the value.
For example, on the Destination Port workflow, to constrain the events to those with a
destination of port 80, click
destination of port 80, click
80/tcp
in the
DST Port/ICMP Code
column. The next page of the
workflow, Events, appears and contains only port 80/tcp events.
drill down to the next
workflow page
constraining on selected
events
workflow page
constraining on selected
events
select the check boxes next to the events you want to view on the next workflow page, then click
View
.
For example, on the Destination Port workflow, to constrain the events to those with destination
ports 20/tcp and 21/tcp, select the check boxes next to the rows for those ports and click
ports 20/tcp and 21/tcp, select the check boxes next to the rows for those ports and click
View
.
The next page of the workflow, Events, appears and contains only port 20/tcp and 21/tcp events.
Note
If you constrain on multiple rows and the table has more than one column (not including
a Count column), you build what is called a compound constraint. Compound
constraints ensure that you do not include more events in your constraint than you mean
to. For example, if you use the Event and Destination workflow, each row that you select
on the first drill-down page creates a compound constraint. If you pick event 1:100 with
a destination IP address of 10.10.10.100 and you also pick event 1:200 with a destination
IP address of 192.168.10.100, the compound constraint ensures that you do not also
select events with 1:100 as the event type and 192.168.10.100 as the destination IP
address or events with 1:200 as the event type and 10.10.10.100 as the destination IP
address.
a Count column), you build what is called a compound constraint. Compound
constraints ensure that you do not include more events in your constraint than you mean
to. For example, if you use the Event and Destination workflow, each row that you select
on the first drill-down page creates a compound constraint. If you pick event 1:100 with
a destination IP address of 10.10.10.100 and you also pick event 1:200 with a destination
IP address of 192.168.10.100, the compound constraint ensures that you do not also
select events with 1:100 as the event type and 192.168.10.100 as the destination IP
address or events with 1:200 as the event type and 10.10.10.100 as the destination IP
address.
drill down to the next
workflow page keeping the
current constraints
workflow page keeping the
current constraints
click
View All
.
Table 18-4
Constraining Events on the Table View of Events
To...
You can...
constrain the view to events
with a single attribute
with a single attribute
click the attribute.
For example, to constrain the view to events with a destination of port 80, click
80/tcp
in the
DST
Port/ICMP Code
column.
remove a column from the
table
table
click the close icon (
) in the column heading that you want to hide. In the pop-up window
that appears, click
Apply
.
Tip
To hide or show other columns, select or clear the appropriate check boxes before you
click
click
Apply
. To add a disabled column back to the view, click the expand arrow (
) to
expand the search constraints, then click the column name under
Disabled Columns
.
view the packets associated
with one or more events
with one or more events
either:
•
click the down arrow icon (
) next to the event whose packets you want to view.
•
select one or more events whose packets you want to view, and, at the bottom of the page,
click
click
View.
•
at the bottom of the page, click
View All
to view the packets for all events that match the
current constraints.