Cisco Cisco FirePOWER Appliance 8250
47-23
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Using Workflows
Using the Host View, Packet View, or Vulnerability Detail Pages
License:
Any
The final page in a discovery event, host, host attributes, indications of compromise, servers, client
applications, or connection data workflow is the host view. The final page in a vulnerability workflow is
the vulnerability detail page. An intrusion event workflow always ends with the packet view. On the final
page of a workflow, you can expand detail sections to view specific information about each object in the
set you focused on over the course of the workflow. Although the web interface does not list the
constraints on the final page of a workflow, previously set constraints are retained and applied to the set
of data.
applications, or connection data workflow is the host view. The final page in a vulnerability workflow is
the vulnerability detail page. An intrusion event workflow always ends with the packet view. On the final
page of a workflow, you can expand detail sections to view specific information about each object in the
set you focused on over the course of the workflow. Although the web interface does not list the
constraints on the final page of a workflow, previously set constraints are retained and applied to the set
of data.
Setting Event Time Constraints
License:
Any
Each event has a time stamp that indicates when the event occurred. You can constrain the information
that appears in some workflows by setting the time window, sometimes called the time range.
that appears in some workflows by setting the time window, sometimes called the time range.
Workflows based on events that can be constrained by time include a time range line at the top of the
page, as shown in the following graphic.
page, as shown in the following graphic.
By default, workflows on Cisco appliances use an expanding time window set to the past hour. For
example, if you log in at 11:30 AM, you will see events that occurred between 10:30 AM and 11:30 AM.
As time moves forward, the time window expands. At 12:30 PM, you will see events that occurred
between 10:30 AM and 12:30 PM.
example, if you log in at 11:30 AM, you will see events that occurred between 10:30 AM and 11:30 AM.
As time moves forward, the time window expands. At 12:30 PM, you will see events that occurred
between 10:30 AM and 12:30 PM.
You can change this behavior by setting your own default time window, which governs three properties:
•
time window type (static, expanding, or sliding)
•
time window length
•
the number of time windows (either multiple time windows or a single global time window)
For general information on the default time window, see
.
Regardless of the default time window setting, you can manually change the time window during your
event analysis by clicking the time range at the top of the page, which displays the Date/Time pop-up
window. Depending on the number of time windows you configured and the type of appliance you are
using, you can also use the Date/Time window to change the default time window for the type of event
you are viewing.
event analysis by clicking the time range at the top of the page, which displays the Date/Time pop-up
window. Depending on the number of time windows you configured and the type of appliance you are
using, you can also use the Date/Time window to change the default time window for the type of event
you are viewing.
Finally, you can pause the time window, which allows you to examine the data provided by the workflow
without the time window changing and removing or adding events that you are not interested in. Note
that to avoid displaying the same events on different workflow pages, the time window automatically
pauses when you click a link at the bottom of the page to display another page of events; you can unpause
the time window when you are ready.
without the time window changing and removing or adding events that you are not interested in. Note
that to avoid displaying the same events on different workflow pages, the time window automatically
pauses when you click a link at the bottom of the page to display another page of events; you can unpause
the time window when you are ready.
For more information, see the following sections:
•
•
•