Cisco Cisco FirePOWER Appliance 7030
47-4
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Components of a Workflow
Predefined Intrusion Event Workflows
License:
Protection
The following table describes the predefined intrusion event workflows included with the FireSIGHT
System. For information on accessing these workflows, see
System. For information on accessing these workflows, see
and
.
:
Table 47-1
Predefined Intrusion Event Workflows
Workflow Name
Description
Destination Port
Because destination ports are usually tied to an application, this workflow can help you detect
applications that are experiencing an uncommonly high volume of alerts. The Destination Port
column can also help you identify applications that should not be present on your network.
applications that are experiencing an uncommonly high volume of alerts. The Destination Port
column can also help you identify applications that should not be present on your network.
This workflow begins with a page showing the destination ports associated with the intrusion events,
followed by a page showing the event types that were generated. You can then see a tabular view of
event information, called the table view of events, followed by a packet view that shows the decoded
contents of the packets associated with each event.
followed by a page showing the event types that were generated. You can then see a tabular view of
event information, called the table view of events, followed by a packet view that shows the decoded
contents of the packets associated with each event.
Event-Specific
This workflow provides two useful features. Events that occur frequently may indicate:
•
false positives
•
a worm
•
a badly misconfigured network
Events that occur infrequently are most likely evidence of a targeted attack and warrant special
attention.
attention.
This workflow begins with a page showing the event types that were generated. You can then view a
page with two tables, one listing the source IP addresses associated with the events, the other showing
the destination IP addresses associated with the events. The last pages in the workflow are the table
view of events and the packet view.
page with two tables, one listing the source IP addresses associated with the events, the other showing
the destination IP addresses associated with the events. The last pages in the workflow are the table
view of events and the packet view.
Events by Priority and
Classification
Classification
This workflow lists events and their type in order of event priority, along with a count showing how
many times each event has occurred.
many times each event has occurred.
This workflow begins with a drill-down page that contains the priority level, classification and count
of each listed event. The last pages in the workflow are the table view of events and the packet view.
of each listed event. The last pages in the workflow are the table view of events and the packet view.
Events to
Destinations
Destinations
This workflow provides a high-level view of which host IP addresses are being attacked and the nature
of the attack; where available, you can also see information about the countries involved in attacks.
of the attack; where available, you can also see information about the countries involved in attacks.
This workflow begins with a page of paired event types and destination IP addresses that you can use
to investigate what types of events are directed towards specific IP addresses. The last pages in the
workflow are the table view of events and the packet view.
to investigate what types of events are directed towards specific IP addresses. The last pages in the
workflow are the table view of events and the packet view.
IP-Specific
This workflow shows which host IP addresses are generating the most alerts. Hosts with the greatest
number of events are either public-facing and receiving worm-type traffic (indicating a good place to
look for tuning) or require further investigation to determine the cause of the alerts. Hosts with the
lowest counts also warrant investigation as they could be the subject of a targeted attack. Low counts
may also indicate that a host may not belong on the network.
number of events are either public-facing and receiving worm-type traffic (indicating a good place to
look for tuning) or require further investigation to determine the cause of the alerts. Hosts with the
lowest counts also warrant investigation as they could be the subject of a targeted attack. Low counts
may also indicate that a host may not belong on the network.
This workflow begins with a page showing two tables, one each for the source and destination IP
addresses that are associated with the events. The next page shows the event types that were
generated. The last pages in the workflow are the table view of events and the packet view.
addresses that are associated with the events. The next page shows the event types that were
generated. The last pages in the workflow are the table view of events and the packet view.