Cisco Cisco Firepower Management Center 2000
18-2
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Event Statistics
•
describes the various pages that
are available in intrusion event workflows and explains how you can use them to analyze your
intrusion events.
intrusion events.
•
describes the features of two of the types of
pages in an intrusion event workflow.
•
explains how to use the packet view of intrusion events.
•
describes how you can use impact levels to
evaluate intrusion events.
•
explains how you can use the search feature to constrain
a list of intrusion events to specific criteria.
•
describes how to add intrusion events to a holding area called the
clipboard so that you can later add the events to incidents. This section also explains how to generate
event reports based on the contents of the clipboard.
event reports based on the contents of the clipboard.
Also, see:
•
for more information about incident handling and how you can use
incidents to track the progress of an event analysis.
•
for more information about automated
alerting.
•
for more information about intrusion event reports.
•
for more information about geolocation information in intrusion
events.
Viewing Intrusion Event Statistics
License:
Protection
The Intrusion Event Statistics page provides you with a quick summary of the current state of your
appliance and any intrusion events generated for your network.
appliance and any intrusion events generated for your network.
The Intrusion Event Statistics page has three main areas:
•
describes the Host Statistics section, which provides information about
the appliance and, for Defense Centers, their managed devices.
•
describes the Event Overview, which provides an overview of the
information in the event database.
•
describes the Event Statistics, which provides more specific details about
the information in the event database, such as the top 10 event types.
Each of the IP addresses, ports, protocols, event messages, and so on on the page is a link. Click any link
to view the associated event information. For example, if one of the top 10 destination ports is
to view the associated event information. For example, if one of the top 10 destination ports is
80
(http)/tcp
, clicking that link displays the first page in the default intrusion events workflow, and lists
the events targeting that port. Note that only the events (and the managed devices that generate events)
in the current time range appear. Also, intrusion events that you have marked reviewed continue to
appear in the statistics. For example, if the current time range is the past hour but the first event was
generated five hours ago, when you click the
in the current time range appear. Also, intrusion events that you have marked reviewed continue to
appear in the statistics. For example, if the current time range is the past hour but the first event was
generated five hours ago, when you click the
First Event
link, the resulting event pages will not show the
event until you change the time range.