Cisco Cisco FirePOWER Appliance 7010
47-14
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Components of a Workflow
Saved Custom Workflows
License:
Protection + FireSIGHT
In addition to predefined workflows, which cannot be modified, your Defense Center includes several
saved custom workflows. Each of these workflows is based on a custom table and can be modified. For
information on accessing these workflows, see
saved custom workflows. Each of these workflows is based on a custom table and can be modified. For
information on accessing these workflows, see
.
Table 47-18
Additional Predefined Workflows
Workflow Name
Description
Audit Log
This workflow contains a table view of the audit log that lists audit events. See
for more information.
Health Events
This workflow displays events triggered by the health monitoring policy. See
for more information.
Rule Update Import
Log
Log
This workflow contains a table view listing information about both successful
and failed rule update imports. For more information, see
and failed rule update imports. For more information, see
.
Scan Results
This workflow contains a table view listing each completed scan. For more
information, see
information, see
Table 47-19
Saved Custom Workflows
Workflow Name
Description
Events by Impact, Priority,
and Host Criticality
and Host Criticality
You can use this workflow to quickly pick out and focus in on hosts that are important to your
network, currently vulnerable, and possibly currently under attack.
network, currently vulnerable, and possibly currently under attack.
By default, this workflow starts with a summary of events sorted by impact level, then by host
criticality, and then by the number of occurrences of the event. You can use the second page of
the workflow to drill down and view the source and destination addresses where specific events
occur. The workflow concludes with a table view of Intrusion Events with Destination
Criticality, then the packet view. This workflow is based on the Intrusion Events with
Destination Criticality custom table. For more information, see
criticality, and then by the number of occurrences of the event. You can use the second page of
the workflow to drill down and view the source and destination addresses where specific events
occur. The workflow concludes with a table view of Intrusion Events with Destination
Criticality, then the packet view. This workflow is based on the Intrusion Events with
Destination Criticality custom table. For more information, see
.
Events by Priority and
Classification
Classification
This workflow lists events and their type in order of event priority, along with a count showing
how many times each event has occurred.
how many times each event has occurred.
This workflow begins with a drill-down page that contains the priority level, classification and
count of each listed event. The last pages in the workflow are the table view of events and the
packet view. This workflow is based on the Intrusion Events custom table. For more
information, see
count of each listed event. The last pages in the workflow are the table view of events and the
packet view. This workflow is based on the Intrusion Events custom table. For more
information, see
Events with Destination,
Impact, and Host
Criticality
Impact, and Host
Criticality
You can use this workflow to find the most recent attacks on hosts that are important to your
network and currently vulnerable.
network and currently vulnerable.
By default, this workflow starts with a list of the most recent events, sorted by impact level. The
next page of the workflow provides a table view of Intrusion Events with Destination Criticality,
followed by the packet view. This workflow is based on the Intrusion Events with Destination
Criticality custom table. For more information, see
next page of the workflow provides a table view of Intrusion Events with Destination Criticality,
followed by the packet view. This workflow is based on the Intrusion Events with Destination
Criticality custom table. For more information, see