Cisco Cisco Firepower Management Center 2000
47-5
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Components of a Workflow
Predefined Malware Workflows
License:
Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The following table describes the predefined malware workflows included on the Defense Center. All
predefined malware workflows use the table view of malware events.
predefined malware workflows use the table view of malware events.
Impact and Priority
This workflow lets you find high-impact recurring events quickly. The reported impact level is shown
with the number of times the event has occurred. Using this information, you can identify the
high-impact events that recur most often, which might be an indicator of a widespread attack on your
network.
with the number of times the event has occurred. Using this information, you can identify the
high-impact events that recur most often, which might be an indicator of a widespread attack on your
network.
This workflow begins with a page showing the impact level, priority, and count associated with each
event. Next, a drill-down page appears with the source and destination IP addresses for each event.
Events on the second page are sorted by count. The last pages in the workflow are the table view of
events and the packet view.
event. Next, a drill-down page appears with the source and destination IP addresses for each event.
Events on the second page are sorted by count. The last pages in the workflow are the table view of
events and the packet view.
Impact and Source
This workflow can help you identify the source of an attack in progress. The reported impact level is
shown with the associated source IP address for the event. If, for example, events with a level 1 impact
are coming from the same source IP address repeatedly, they may indicate an attacker who has
identified vulnerable systems and is targeting them.
shown with the associated source IP address for the event. If, for example, events with a level 1 impact
are coming from the same source IP address repeatedly, they may indicate an attacker who has
identified vulnerable systems and is targeting them.
This workflow begins with a page showing the impact level, source IP address, priority, and count
associated with each event. Within each event level, events are sorted by count, then priority. Next, a
drill-down page appears with the source and destination IP addresses for each event. Events on the
second page are sorted by count. The last pages in the workflow are the table view of events and the
packet view.
associated with each event. Within each event level, events are sorted by count, then priority. Next, a
drill-down page appears with the source and destination IP addresses for each event. Events on the
second page are sorted by count. The last pages in the workflow are the table view of events and the
packet view.
Impact to Destination You can use this workflow to identify events repeatedly occurring on vulnerable computers, so you
can address the vulnerabilities on those systems and stop any attacks in progress.
This workflow begins with a page showing the impact level, inline result (whether the packet was or
would have been dropped), destination IP address, priority, and count associated with each event.
Within each event level, events are sorted by count, then priority. Next, a drill-down page appears with
the source and destination IP addresses for each event. Events on the second page are sorted by count.
The last pages in the workflow are the table view of events and the packet view.
would have been dropped), destination IP address, priority, and count associated with each event.
Within each event level, events are sorted by count, then priority. Next, a drill-down page appears with
the source and destination IP addresses for each event. Events on the second page are sorted by count.
The last pages in the workflow are the table view of events and the packet view.
Source Port
This workflow indicates which servers are generating the most alerts. You can use this information to
identify areas that require tuning, and to decide which servers require attention.
identify areas that require tuning, and to decide which servers require attention.
This workflow begins with a page showing the source ports associated with the intrusion events,
followed by a page showing the types of events that were generated. The last pages in the workflow
are the table view of events and the packet view.
followed by a page showing the types of events that were generated. The last pages in the workflow
are the table view of events and the packet view.
Source and
Destination
Destination
This workflow identifies host IP addresses sharing high levels of alerts. Pairs at the top of the list
could be false positives, and may identify areas that require tuning. You can check pairs at the bottom
of the list for targeted attacks, for users accessing resources they should not be accessing, or for hosts
that do not belong on the network.
could be false positives, and may identify areas that require tuning. You can check pairs at the bottom
of the list for targeted attacks, for users accessing resources they should not be accessing, or for hosts
that do not belong on the network.
This workflow begins with a page showing the source and destination IP addresses for each event,
followed by a page showing the types of events that were generated. The last pages in the workflow
are the table view of events and the packet view.
followed by a page showing the types of events that were generated. The last pages in the workflow
are the table view of events and the packet view.
Table 47-1
Predefined Intrusion Event Workflows (continued)
Workflow Name
Description