Cisco Cisco FirePOWER Appliance 8130
27-30
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Working with White List Events
To view compliance white list events:
Access:
Admin/Any Security Analyst/Discovery Admin
Step 1
Select
Analysis > Correlation > White List Events
.
The first page of the default white list events workflow appears. To use a different workflow, including
a custom workflow, click
a custom workflow, click
(switch workflow)
.by the workflow title. For information on specifying a
different default workflow, see
. If no events appear, you
may need to adjust the time range; see
.
Understanding the White List Events Table
License:
FireSIGHT
You can use the correlation policy feature to build correlation policies that let the system respond in real
time to threats on your network. Correlation policies describe the type of activity that constitutes a policy
violation, which include compliance white list violations. For more information on correlation policies,
see
time to threats on your network. Correlation policies describe the type of activity that constitutes a policy
violation, which include compliance white list violations. For more information on correlation policies,
see
drill down to the next page in the
workflow, constraining on a specific
value
workflow, constraining on a specific
value
use one of the following methods:
•
on a drill-down page that you created in a custom workflow, click a value within
a row. Note that clicking a value within a row in a table view constrains the table
view and does not drill down to the next page.
a row. Note that clicking a value within a row in a table view constrains the table
view and does not drill down to the next page.
•
To drill down to the next workflow page constraining on some users, select the
check boxes next to the users you want to view on the next workflow page, then
click
check boxes next to the users you want to view on the next workflow page, then
click
View
.
•
To drill down to the next workflow page keeping the current constraints, click
View All
.
Tip
Table views always include “Table View” in the page name.
For more information, see
delete white list events from the
system
system
use one of the following methods:
•
To delete some events, select the check boxes next to the events you want to
delete, then click
delete, then click
Delete
.
•
To delete all events in the current constrained view, click
Delete All
, then confirm
you want to delete all the events.
navigate to other event views to view
associated events
associated events
find more information in
.
Table 27-3
Compliance White List Event Actions (continued)
To...
You can...