Cisco Cisco Firepower Management Center 4000
27-32
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Events
You can search for specific compliance white list events. You may want to create searches customized
for your network environment, then save them to re-use later. The following table describes the search
criteria you can use.
for your network environment, then save them to re-use later. The following table describes the search
criteria you can use.
To search for compliance white list events:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Table
drop-down list, select
White List Events
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields, as described in the
table, and keeping in mind the following additional points:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
Table 27-5
Compliance White List Event Search Criteria
Field
Search Criteria Rules
Policy
Enter the name of a correlation policy to return all events caused by violations
of white lists included in that policy.
of white lists included in that policy.
White List
Enter the name of a white list to return all events caused by violations of that
white list.
white list.
Description
Enter the white list event description.
Priority
Specify the priority of the white list event, which is determined either by the
priority of the white list in a correlation policy or by the priority of the
correlation policy itself. Note that the white list priority overrides the priority
of its policy. Enter
priority of the white list in a correlation policy or by the priority of the
correlation policy itself. Note that the white list priority overrides the priority
of its policy. Enter
none
for no priority.
For information on setting correlation rule and policy priorities, see
and
.
IP Address
Specify an IP address of a host that has become non-compliant with a white list.
User
Specify the identity of the user logged in to a host that has become
non-compliant with a white list.
non-compliant with a white list.
Port
Specify the port, if any, associated with the discovery event that triggered an
application protocol white list violation (a violation that occurred as a result of
a non-compliant application protocol).
application protocol white list violation (a violation that occurred as a result of
a non-compliant application protocol).
Host Criticality
Specify the host criticality of the source host involved in the white list event:
None
,
Low
,
Medium
, or
High
. For more information on host criticality, see
.
Device
Type the name of the device or device group that detected the white list
violation.
violation.