Cisco Cisco FirePOWER Appliance 8250
18-35
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Searching for Intrusion Events
Tip
To reverse the sort order, click
Impact
again.
Searching for Intrusion Events
License:
Protection
You can search for specific intrusion events by using a predefined search delivered with the FireSIGHT
System or by creating your own search criteria.
System or by creating your own search criteria.
The predefined searches serve as examples and can provide quick access to important information about
your network. You may want to modify specific fields within the default searches to customize them for
your network environment, then save them to reuse later. The search criteria you can use are described
in the following list.
your network. You may want to modify specific fields within the default searches to customize them for
your network environment, then save them to reuse later. The search criteria you can use are described
in the following list.
Tip
For information about the syntax for specifying IP addresses and ports in an intrusion event search, see
and
.
For more information on searching, including how to load and delete saved searches, see
Priority
Specify the priority of the events you want to view. The priority corresponds to either the value of
the
the
priority
keyword or the value for the
classtype
keyword. For other intrusion events, the
priority is determined by the decoder or preprocessor. Valid values are
high, medium
, and
low
.
Impact
Specify the impact level assigned to the intrusion event based on the correlation between intrusion
data and network discovery data. Valid case-insensitive values are
data and network discovery data. Valid case-insensitive values are
Impact 0, Impact Level 0
,
Impact 1, Impact Level 1
,
Impact 2, Impact Level 2
,
Impact 3, Impact Level 3
,
Impact 4,
and
Impact Level 4
.
Do not use impact icon colors or partial strings (for example, do not use
blue
,
level 1
, or
0
).
For more information, see
.
Inline Result
Type either:
–
dropped
, to specify whether the packet is dropped in an inline deployment
–
would have dropped
, to specify whether the packet would have dropped if the intrusion policy
had been set to drop packets in an inline deployment
Note that the system does not drop packets in a passive deployment, including when an inline
interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion
policy. For more information, see
interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion
policy. For more information, see
,
, and
.
Source IP
Specify the IP address used by the source host involved in the intrusion events.