Cisco Cisco Firepower Management Center 4000

Items in the filter panel sometimes represent filter type groups, sometimes represent keywords, and 
sometimes represent the argument to a keyword. Use the following rules of thumb to help you build your 
filters: 

When you select a filter type group heading that is not a keyword (Rule Configuration, Rule Content, 
Platform Specific, and Priority), it expands to list the available keywords. 

When you select a keyword by clicking on a node in the criteria list, a pop-up window appears where 
you supply the argument you want to filter by. 

If that keyword is already used in the filter, the argument you supply replaces the existing argument 
for that keyword. 

For example, if you click 

 under Rule Configuration > Recommendation in 

the filter panel, 

Recommendation:"Drop and Generate Events"

 is added to the filter text box. If 

you then click 

under Rule Configuration > Recommendation, the filter changes to 

Recommendation:"Generate Events"

.

When you select a filter type group heading that is a keyword (Category, Classifications, Microsoft 
Vulnerabilities, Microsoft Worms, Priority, and Rule Update), it lists the available arguments. 

When you select an item from this type of group, the argument and the keyword it applies to are 
immediately added to the filter. If the keyword is already in the filter, it replaces the existing 
argument for the keyword that corresponds to that group. 

For example, if you click 

 under Category in the filter panel, 

Category:"os-linux"

 is added 

to the filter text box. If you then click 

 under Category, the filter changes to 

Category:"os-windows"

.

Reference under Rule Content is a keyword, and so are the specific reference ID types listed below 
it. When you select any of the reference keywords, a pop-up window appears where you supply an 
argument and the keyword is added to the existing filter. If the keyword is already in use in the filter, 
the new argument you supply replaces the existing argument.

For example, if you click 

in the filter panel, a pop-up window prompts 

you to supply the CVE ID. If you enter 

2007

, then 

CVE:”2007”

 is added to the filter text box. In 

another example, if you click 

in the filter panel, a pop-up window prompts 

you to supply the reference. If you enter 

2007

, then 

Reference:”2007”

 is added to the filter text box. 

When you select rule filter keywords from different groups, each filter keyword is added to the filter 
and any existing keywords are maintained (unless overridden by a new value for the same keyword). 

For example, if you click 

 under Category in the filter panel, 

Category:"os-linux"

 is added 

to the filter text box. If you then click 

 under Microsoft Vulnerabilities, the filter changes 

to 

Category:"os-linux" MicrosoftVulnerabilities:"MS00-006"

.

When you select multiple keywords, the system combines them using AND logic to create a 
compound search filter. For example, if you select 

 under 

 and then select 

and enter 

116

, you get a filter of 

Category: “preprocessor” GID:”116”

, which 

retrieves all rules that are preprocessor rules and have a GID of 116.

The Category, Microsoft Vulnerabilities, Microsoft Worms, Platform Specific, and Priority filter 
groups allow you to submit more than one argument for a keyword, separated by commas. For 
example, you can press Shift and then select 

 and 

 from 

 to produce the 

filter 

Category:"os-windows,app-detect"

, which retrieves any rules in the 

os-linux

 category or 

in the 

os-windows

 category.

The same rule may be retrieved by more than one filter keyword/argument pair. For example, the DOS 
Cisco attempt rule (SID 1545) appears if rules are filtered by the 

 category, and also if you filter by 

the High priority.