Cisco Cisco FirePOWER Appliance 8390
27-31
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Events
When a compliance white list is violated, the system generates a white list event. The fields in the white
list events table are described in the following table.
list events table are described in the following table.
Searching for Compliance White List Events
License:
FireSIGHT
Table 27-4
Compliance White List Event Fields
Field
Description
Time
The date and time that the white list event was generated.
IP Address
The IP address of the non-compliant host.
User
The identity of any known user logged in to the non-compliant host.
Port
The port, if any, associated with the event that triggered an application protocol
white list violation (a violation that occurred as a result of a non-compliant
application protocol). For other types of white list violations, this field is blank.
white list violation (a violation that occurred as a result of a non-compliant
application protocol). For other types of white list violations, this field is blank.
Description
A description of how the white list was violated. For example:
Client “AOL Instant Messenger” is not allowed.
Violations that involve an application protocol indicate the application protocol
name and version, as well as the port and protocol (TCP or UDP) it is using. If
you restrict prohibitions to a particular operating system, the description
includes the operating system name. For example:
name and version, as well as the port and protocol (TCP or UDP) it is using. If
you restrict prohibitions to a particular operating system, the description
includes the operating system name. For example:
Server "ssh / 22 TCP ( OpenSSH 3.6.1p2 )" is not
allowed on Operating System “Linux Linux 2.4 or
2.6”.
Policy
The name of the correlation policy that was violated, that is, the correlation
policy that includes the white list.
policy that includes the white list.
White List
The name of the white list.
Priority
The priority specified by the policy or white list that triggered the policy
violation. For information on setting correlation rule and policy priorities, see
violation. For information on setting correlation rule and policy priorities, see
and
.
Host Criticality
The user-assigned host criticality of the host that is out of compliance with the
white list:
white list:
None
,
Low
,
Medium
, or
High
. For more information on host criticality,
see
.
Device
The name of the managed device that detected the white list violation.
Count
The number of events that match the information that appears in each row. Note
that the Count field appears only after you apply a constraint that creates two or
more identical rows.
that the Count field appears only after you apply a constraint that creates two or
more identical rows.