Cisco Cisco Firepower Management Center 4000
27-33
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Violations
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
Specify
n/a
in any field to identify events where information is not available for that field; use
!n/a
to identify the events where that field is populated.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For more information on search syntax, including using objects in searches, see
.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private.
If you want to use the search as a data restriction for a custom user role, you must save it as a private
search.
search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in the default white list events workflow, constrained by the current time
range. To use a different workflow, including a custom workflow, click
range. To use a different workflow, including a custom workflow, click
(switch workflow)
by the
workflow title. For information on specifying a different default workflow, see
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
), so that you can run it at a later time.
Working with White List Violations
License:
FireSIGHT
The system keeps track of the ways in which hosts on your network violate the compliance white lists
in active correlation policies. You can search and view these records.
in active correlation policies. You can search and view these records.
For more information, see the following sections:
•
•
•
Viewing White List Violations
License:
FireSIGHT
You can use the Defense Center to view a table of white list violations. Then, you can manipulate the
event view depending on the information you are looking for. The page you see when you access white
list violations differs depending on the workflow you use. There are two predefined workflows:
event view depending on the information you are looking for. The page you see when you access white
list violations differs depending on the workflow you use. There are two predefined workflows:
•
The Host Violation Count workflow provides a series of pages that list all the hosts that violate at
least one white list. The first page sorts the hosts based on the number of violations per host, with
the hosts with the greatest number of violations at the top of the list. If a host violates more than one
least one white list. The first page sorts the hosts based on the number of violations per host, with
the hosts with the greatest number of violations at the top of the list. If a host violates more than one