Cisco Cisco Firepower Management Center 4000
27-29
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Events
When the system generates a discovery event that indicates that a host is out of compliance with a white
list that is included in an activated correlation policy, a white list event is generated. White list events
are a special kind of correlation event, and are logged to the correlation event database. You can search,
view, and delete white list events.
list that is included in an activated correlation policy, a white list event is generated. White list events
are a special kind of correlation event, and are logged to the correlation event database. You can search,
view, and delete white list events.
Tip
For information on configuring the number of events saved in the database, see
. Note that white list events are stored in the correlation event database.
For more information, see the following sections:
•
•
•
Viewing White List Events
License:
FireSIGHT
You can use the Defense Center to view a table of compliance white list events. Then, you can
manipulate the event view depending on the information you are looking for.
manipulate the event view depending on the information you are looking for.
The page you see when you access white list events differs depending on the workflow you use. You can
use the predefined workflow, which includes the table view of white list events. You can also create a
custom workflow that displays only the information that matches your specific needs. For information
on creating a custom workflow, see
use the predefined workflow, which includes the table view of white list events. You can also create a
custom workflow that displays only the information that matches your specific needs. For information
on creating a custom workflow, see
.
The following table describes some of the specific actions you can perform on a white list events
workflow page.
workflow page.
Table 27-3
Compliance White List Event Actions
To...
You can...
view the host profile for a host
click the host profile icon (
) that appears next to the IP address.
view user profile information
click the user icon (
)that appears next to the user identity. For more information,
see
.
sort and constrain events on the
current workflow page
current workflow page
navigate within the current workflow
page
page
find more information in
navigate between pages in the current
workflow, keeping the current
constraints
workflow, keeping the current
constraints
click the appropriate page link at the top left of the workflow page. For more
information, see
information, see
learn more about the columns that
appear
appear
.
modify the time and date range for
displayed events
displayed events
find more information in see
.