Cisco Cisco FirePOWER Appliance 7030
16-21
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Working with Connection Graphs
Connection graphs are based on aggregated data over five-minute intervals, also called connection
summaries. You can get more information about the specific connection summaries used to construct a
connection graph. For example, on a graph of connections over time, you may want to know exactly how
many connections were detected over a specific interval.
summaries. You can get more information about the specific connection summaries used to construct a
connection graph. For example, on a graph of connections over time, you may want to know exactly how
many connections were detected over a specific interval.
To get detailed information on aggregated connection data:
Access:
Admin/Any Security Analyst
Step 1
Position your cursor over a point on a line graph a bar in a bar graph, or a wedge in a pie chart. A tooltip
appears with detailed information about the data used to construct that portion of the graph.
appears with detailed information about the data used to construct that portion of the graph.
Manipulating a Connection Graph on a Workflow Page
License:
Any
When you open a connection data workflow, the data is initially constrained only by a time range. You
can constrain connection graphs with additional criteria without advancing the workflow to the next
page.
can constrain connection graphs with additional criteria without advancing the workflow to the next
page.
Tip
Constraining connection data in this manner changes the x-axis (also called the independent variable
when viewing a pie chart) of the graph. To change the independent variable without constraining the
connection data, use the
when viewing a pie chart) of the graph. To change the independent variable without constraining the
connection data, use the
X-Axis
and
Y-Axis
menus. For more information, see
To constrain connection data:
Access:
Admin/Any Security Analyst
Step 1
Click a point on a line graph, a bar on a bar graph, or a wedge on a pie chart.
Step 2
Select a
View by...
option.
You can constrain connection data based on any of the criteria listed in the
table.
For example, consider a graph of connections over time. If you constrain a point on the graph by port, a
bar graph appears, showing the 10 most active ports based on the number of detected connection events,
but constrained by the ten-minute time span that is centered on the point you clicked.
bar graph appears, showing the 10 most active ports based on the number of detected connection events,
but constrained by the ten-minute time span that is centered on the point you clicked.
If you further constrain the graph by clicking on one of the bars and selecting
View by Initiator IP
, a new
bar graph appears, constrained by not only the same ten-minute time span as before, but also by the port
represented by the bar you clicked.
represented by the bar you clicked.
Note
Unless you are working with a detached graph, constraining connection data in this manner
changes the time range. For more information on detached graphs, see
changes the time range. For more information on detached graphs, see