Cisco Cisco FirePOWER Appliance 7010
18-7
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Events
If you perform a backup and then delete reviewed intrusion events, restoring your backup restores the
deleted intrusion events but does not restore their reviewed status. You view those restored intrusion
events under Intrusion Events, not under Reviewed Events.
deleted intrusion events but does not restore their reviewed status. You view those restored intrusion
events under Intrusion Events, not under Reviewed Events.
To quickly view connection events associated with one or more intrusion events, select the intrusion
events using the check boxes in the event viewer, then select
events using the check boxes in the event viewer, then select
Connections
from the
Jump to
drop-down list.
This is most useful when navigating between table views of events. You can also view the intrusions
associated with particular connections in a similar way.
associated with particular connections in a similar way.
For more information, see the following sections:
•
•
•
•
•
•
•
To view intrusion events:
Access:
Admin/Intrusion Admin
Step 1
Select
Analysis > Intrusions > Events
.
The first page of the default intrusion events workflow appears. For information on specifying a different
default workflow, see
default workflow, see
. If no events appear, you may need
to adjust the time range; see
Tip
If you are using a custom workflow that does not include the table view of intrusion events, select any
of the predefined workflows that ship with the appliance by clicking
of the predefined workflows that ship with the appliance by clicking
(switch workflow)
next to the
workflow title.
See
to learn more about the events that appear in intrusion
event views. See
to learn more about
how to narrow your view to the intrusion events that are important to your analysis.
Understanding Intrusion Events
License:
Protection
The system examines the packets that traverse your network for malicious activity that could affect the
availability, integrity, and confidentiality of a host and its data. When the system identifies a possible
intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and
contextual information about the source of the attack and its target. For packet-based events, a copy of
the packet or packets that triggered the event is also recorded.
availability, integrity, and confidentiality of a host and its data. When the system identifies a possible
intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and
contextual information about the source of the attack and its target. For packet-based events, a copy of
the packet or packets that triggered the event is also recorded.