Cisco Cisco FirePOWER Appliance 7010
18-14
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Understanding Workflow Pages for Intrusion Events
To view events previously marked reviewed:
Access:
Admin/Intrusion Admin
Step 1
Select
Analysis > Intrusions > Reviewed Events
.
The first page of the default reviewed intrusion events workflow appears. For information on specifying
a different default workflow, see
a different default workflow, see
. If no events appear, you
may need to adjust the time range; see
.
Tip
If you are using a custom workflow that does not include the table view of intrusion events, select any
of the predefined workflows that ship with the appliance by clicking
of the predefined workflows that ship with the appliance by clicking
(switch workflow)
next to the
workflow title.
See
to learn more about the events that appear in reviewed
intrusion event views. See
to learn
more about how to narrow your view to the intrusion events that are important to your analysis.
To mark reviewed events unreviewed:
Access:
Admin/Intrusion Admin
Step 1
On a page that displays reviewed events, you have two options:
•
To remove individual intrusion events from the list of reviewed events, select the check boxes next
to the events and click
to the events and click
Unreview
.
•
To remove all intrusion events from the list of reviewed events, click
Unreview All
.
A success message appears and the list of reviewed events is updated.
Understanding Workflow Pages for Intrusion Events
License:
Protection
The preprocessor, decoder, and intrusion rules that are enabled in the current intrusion policy generate
intrusion events whenever the traffic that you monitor violates the policy.
intrusion events whenever the traffic that you monitor violates the policy.
The FireSIGHT System provides a set of predefined workflows, populated with event data, that you can
use to view and analyze intrusion events. Each of these workflows steps you through a series of pages
to help you pinpoint the intrusion events that you want to evaluate.
use to view and analyze intrusion events. Each of these workflows steps you through a series of pages
to help you pinpoint the intrusion events that you want to evaluate.
The predefined intrusion event workflows contain three different types of pages, or event views:
•
one or more drill-down pages
•
the table view of intrusion events
•
a packet view
Drill-down pages generally include two or more columns in a table (and, for some drill-down views,
more than one table) that allow you to view one specific type of information.
more than one table) that allow you to view one specific type of information.