Cisco Cisco FirePOWER Appliance 8250
45-5
FireSIGHT System User Guide
Chapter 45 Searching for Events
Using Objects and Application Filters in Searches
Using Objects and Application Filters in Searches
License:
Any
The FireSIGHT System allows you to create named objects, object groups, and application filters that
can be used as part of your network configuration. You can use these objects, groups, and filters as search
criteria when performing or saving searches.
can be used as part of your network configuration. You can use these objects, groups, and filters as search
criteria when performing or saving searches.
When you perform a search, objects, object groups, and application filters appear in the format,
${object_name}
. For example, a network object with the object name
ten_ten_network
appears as
${ten_ten_network}
in a search.
You can click the add object icon (
) that appears next to a search field where you can use an object
as a search criterion.
Specifying Time Constraints in Searches
License:
Any
You can use a number of formats for specifying time search constraints. You can enter a time you want
to match, and, optionally, a less than (
to match, and, optionally, a less than (
<
) or greater than (
>
) operator to match times before or after the
time you enter.
The formats accepted by search criteria fields that take a time value are shown in the following table.
You can precede a time value with one of the following operators/keyword.
Specifying IP Addresses in Searches
License:
Any
When specifying IP addresses in searches, you can enter an individual IP address, a comma-separated
list of addresses, an address block, or a range of IP addresses separated with a hyphen (-). You can also
use negation.
list of addresses, an address block, or a range of IP addresses separated with a hyphen (-). You can also
use negation.
For searches that support IPv6 (such as intrusion event, connection data, and correlation event searches)
you can enter IPv4 and IPv6 addresses and CIDR/prefix length address blocks in any combination.
you can enter IPv4 and IPv6 addresses and CIDR/prefix length address blocks in any combination.
Table 45-1
Time Specification in Search Fields
Time Formats
Example
today [at HH:MMam|pm]
today
today at 12:45pm
YYYY-MM-DD HH:MM:SS
2006-03-22 14:22:59
Table 45-2
Time Specification Operators
Operator Example Explanation
<
< 2006-03-22 14:22:59
Returns events with a timestamp before 2:23 PM, March 22,
2006.
2006.
>
> today at 2:45pm
Returns events with a timestamp later than today at 2:45 PM.