Cisco Cisco FirePOWER Appliance 7010
47-9
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Components of a Workflow
Predefined Indications of Compromise Workflows
License:
FireSIGHT
The following table describes the predefined workflows that you can use with IOC (Indications of
Compromise) data.
Compromise) data.
Predefined Applications Workflows
License:
FireSIGHT
The following table describes the predefined workflows that you can use with application data.
Table 47-7
Predefined Host Workflows
Workflow Name
Description
Hosts
This workflow contains a table view of hosts followed by the host view. Workflow views based
on the Hosts table allow you to easily view data on all IP addresses associated with a host. See
on the Hosts table allow you to easily view data on all IP addresses associated with a host. See
for more information.
Operating System
Summary
Summary
You can use this workflow to analyze the operating systems in use on your network. This
workflow provides a series of pages that start with a list of the operating systems and operating
system vendors on your network, continuing with the number of hosts running each version of
that operating system. The next page lists hosts by criticality, IP address, and NetBIOS name,
with their associated operating systems and operating system vendors. The workflow finishes
with a table view of hosts, followed by the host view. See
workflow provides a series of pages that start with a list of the operating systems and operating
system vendors on your network, continuing with the number of hosts running each version of
that operating system. The next page lists hosts by criticality, IP address, and NetBIOS name,
with their associated operating systems and operating system vendors. The workflow finishes
with a table view of hosts, followed by the host view. See
for more
information.
Table 47-8
Predefined Indications of Compromise Workflows
Workflow Name
Description
Indications of Compromise This workflow begins with a summary view of IOC data grouped by count and category,
followed by a detail view that further subdivides the summary data by event type. Next is a full
table view of IOC data. The workflow concludes with the host view. For more information on
viewing and interpreting IOC data, see
table view of IOC data. The workflow concludes with the host view. For more information on
viewing and interpreting IOC data, see
Indications of Compromise
by Host
by Host
You can use this workflow to gauge which hosts on your network are most likely to be
compromised (based on IOC data). This workflow contains a view of host IP addresses by IOC
data count, followed by a table view of IOC data and concluding with the host view. For more
information on viewing and interpreting IOC data, see
compromised (based on IOC data). This workflow contains a view of host IP addresses by IOC
data count, followed by a table view of IOC data and concluding with the host view. For more
information on viewing and interpreting IOC data, see