Cisco Cisco Firepower Management Center 2000
4-36
FireSIGHT System User Guide
Chapter 4 Using the Context Explorer
Working with Filters in the Context Explorer
•
from the Context Explorer icon (
) or from text links that appear in certain detail view pages
(Application Detail, Host Profile, Rule Detail, and User Profile). Clicking these links automatically
opens and filters the Context Explorer according to the relevant data on the detail view page. For
example, clicking the Context Explorer link on a user detail page for the user
opens and filters the Context Explorer according to the relevant data on the detail view page. For
example, clicking the Context Explorer link on a user detail page for the user
jenkins
constrains the
explorer to show only data associated with that user
This section focuses on creating filters from scratch with the Add Filter window. For information on
using the context menu to create quick filters from Context Explorer graph and list data, see
using the context menu to create quick filters from Context Explorer graph and list data, see
.
The Add Filter window, which you access by clicking the plus icon (
) under
Filters
at the top left of
the Context Explorer, contains only two fields:
Data Type
and
Filter
.
The Data Type drop-down list contains many different types of FireSIGHT System data you can use to
constrain the Context Explorer. After you select a data type, you then enter a specific value for that type
in the
constrain the Context Explorer. After you select a data type, you then enter a specific value for that type
in the
Filter
field (for example, a value of
Asia
for the type
Continent
). To assist you, the Filter field
presents several grayed-out example values for the data type you select. (These are erased when you
enter data in the field.)
enter data in the field.)
The following table lists the data types available as filters, with examples and brief definitions of each.
Note that The DC500 Defense Center does not display and Series 2 devices do not detect data for
features they do not support. See the
Note that The DC500 Defense Center does not display and Series 2 devices do not detect data for
features they do not support. See the
table for a
summary of Series 2 appliance features.
Table 4-2
Filter Data Types
Type
Example Values
Definition
Access Control Action
Allow
,
Block
Action taken by your access control policy to allow or
block traffic
block traffic
Application Category
web browser
,
email
General classification of an application’s most essential
function
function
Application Name
Facebook
,
HTTP
Name of an application
Application Risk
Very High
,
Medium
Estimated security risk of an application
Application Tag
encrypts communications
,
sends
mail
Additional information about an application;
applications can have any number of tags, including none
applications can have any number of tags, including none
Application Type
Client
,
Web Application
Type of an application: application protocol, client, or
web application
web application
Business Relevance
Very Low
,
High
Estimated relevance of an application to business activity
(as opposed to recreation)
(as opposed to recreation)
Continent
North America
,
Asia
Continent associated with a routable IP address detected
on your monitored network
on your monitored network
Country
Canada
,
Japan
Country associated with a routable IP address detected
on your monitored network
on your monitored network
Device
device1.example.com
,
192.168.1.3
Name or IP address of a device on your monitored
network
network
Event Classification
Potential Corporate Policy
Violation
,
Attempted Denial of
Service
Capsule description of an intrusion event, determined by
the classification of the rule, decoder, or preprocessor
that triggered it
the classification of the rule, decoder, or preprocessor
that triggered it
Event Message
dns response
,
P2P
Message generated by an event, determined by the rule,
decoder, or preprocessor that triggered it
decoder, or preprocessor that triggered it