Cisco Cisco Firepower Management Center 4000
18-40
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Searching for Intrusion Events
Email Recipient
Specify the address of the email recipient that was extracted from the SMTP RCPT TO command.
You can also enter a comma-separated list to search for events associated with all specified
addresses. See
You can also enter a comma-separated list to search for events associated with all specified
addresses. See
for more information.
Email Attachments
Specify the MIME attachment file name that was extracted from the MIME Content-Disposition
header. Enter a comma-separated list to search for events associated with all attachment file names
in the list. See
header. Enter a comma-separated list to search for events associated with all attachment file names
in the list. See
for more information.
Email Headers
Specify data that was extracted from the email header. Note that email headers do not appear in the
table view of intrusion events, but you can use email header data as a search criterion.
table view of intrusion events, but you can use email header data as a search criterion.
To associate email headers with intrusion events for SMTP traffic, you must enable the SMTP
preprocessor
preprocessor
Log Headers
option. See
for more
information.
Reviewed By
Specify the name of the user who reviewed the event. See
.
Tip
You can enter
unreviewed
to search for events that have not been reviewed.
To search for intrusion events:
Access:
Admin/Intrusion Admin
Step 1
Select
Analysis > Search
.
The Intrusion Events search page appears.
You can also click
Search
while viewing lists of intrusion events (
Analysis > Intrusions > Events
).
Step 2
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is automatically created when you save the search.
Step 3
Enter your search criteria in the appropriate fields, as described in the list above the procedure.
For more information on search syntax, including using objects in searches, see
.
Step 4
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private. Note that users with the
Administrator role can still view searches that you save as private.
Administrator role can still view searches that you save as private.
If you want to use the search as a data restriction for a custom user role, you must save it as a private
search.
search.
Step 5
You have the following options:
•
Click
Search
to start the search.
Your search results appear in the default intrusion events workflow, constrained by the current time
range. For information on specifying a different default workflow, see
range. For information on specifying a different default workflow, see
.
•
Click
Save
if you are modifying an existing search and want to save your changes.