Cisco Cisco FirePOWER Appliance 8130
38-63
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with User Activity
IP Address
For User Login activity, the IP address involved in the login, which can be an IP address of the user’s
host (for LDAP, POP3, IMAP, and AIM logins), the server (for SMTP and Oracle logins), or the
session originator (for SIP logins).
host (for LDAP, POP3, IMAP, and AIM logins), the server (for SMTP and Oracle logins), or the
session originator (for SIP logins).
Note that an associated IP address does not mean the user is the current user for that IP address;
when a non-authoritative user logs into a host, that login is recorded in the user and host history. If
no authoritative user is associated with the host, a non-authoritative user can be the current user for
the host. However, after an authoritative user logs into the host, only a login by another authoritative
user changes the current user.
when a non-authoritative user logs into a host, that login is recorded in the user and host history. If
no authoritative user is associated with the host, a non-authoritative user can be the current user for
the host. However, after an authoritative user logs into the host, only a login by another authoritative
user changes the current user.
For other types of user activity, this field is blank.
Description
For Delete User Identity and User Identity Dropped activity, the username of the user who was
deleted from the database or failed to be added to the database. For logins to network resources,
deleted from the database or failed to be added to the database. For logins to network resources,
network login
is displayed. For other types of user activity, this field is blank.
Device
For user activity detected by a managed device, the name of the device. For other types of user
activity, the managing Defense Center.
activity, the managing Defense Center.
Count
The number of events that match the information that appears in each row. Note that the Count field
appears only after you apply a constraint that creates two or more identical rows.
appears only after you apply a constraint that creates two or more identical rows.
Searching for User Activity
License:
FireSIGHT
You can search for specific user activity. You may want to create searches customized for your network
environment, then save them to reuse later.
environment, then save them to reuse later.
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
For some fields, you can specify
n/a
or
blank
in the field to identify events where information is not
available for that field; use
!n/a
or
!blank
to identify the events where that field is populated.
•
Most fields are case-insensitive.
•
IP addresses may be specified using CIDR notation. For information on entering IPv4 and IPv6
addresses in the FireSIGHT System, see
addresses in the FireSIGHT System, see
.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For detailed information on search syntax, including using objects in searches, see
.