Cisco Cisco Firepower Management Center 4000
27-36
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Violations
Searching for White List Violations
License:
FireSIGHT
You can search for specific compliance white list violations. You may want to create searches
customized for your network environment, then save them to re-use later. The following table describes
the search criteria you can use.
customized for your network environment, then save them to re-use later. The following table describes
the search criteria you can use.
To search for compliance white list violations:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Table
drop-down list, select
White List Violations
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields, as described in the
table, and keeping in mind the following additional points:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
Table 27-8
Compliance White List Violations Search Criteria
Field
Search Criteria Rules
Time
Specify the date and time that the white list was violated.
IP Address
Specify an IP address of a host that has become non-compliant with a white list.
White List
Enter the name of a white list to return all violations from that white list.
Type
Enter the type of white list violation:
•
enter
os
(or
operating system
) to search for violations based on operating
systems
•
enter
server
to search for violations based on application protocols
•
enter
client
to search for violations based on clients
•
enter
protocol
to search for violations based on protocols
•
enter
web application
to search for violations based on web applications
Information
Enter white list violation information.
Port
Specify the port, if any, associated with the discovery event that triggered an
application protocol white list violation (a violation that occurred as a result of a
non-compliant application protocol).
application protocol white list violation (a violation that occurred as a result of a
non-compliant application protocol).
Protocol
Specify the protocol, if any, associated with the discovery event that triggered an
application protocol white list violation (a violation that occurred as a result of a
non-compliant application protocol).
application protocol white list violation (a violation that occurred as a result of a
non-compliant application protocol).