Cisco Cisco Firepower Management Center 4000
47-2
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Components of a Workflow
By contrast, the table view of servers includes the Last Used, IP Address, Port, Protocol, Application
Protocol, Vendor, Version, Web Application, Application Risk, Business Relevance, Hits, Source
Type, Device, and Current User columns.
Protocol, Vendor, Version, Web Application, Application Risk, Business Relevance, Hits, Source
Type, Device, and Current User columns.
Drill-Down Pages
Drill-down pages contain a subset of columns that are available in the database.
For example, a drill-down page for discovery events might include only the IP Address, MAC
Address, and Time columns. A drill-down page for intrusion events, on the other hand, might
include the Priority, Impact Flag, Inline Result, and Message columns.
Address, and Time columns. A drill-down page for intrusion events, on the other hand, might
include the Priority, Impact Flag, Inline Result, and Message columns.
Generally, drill-down pages are intermediate pages that you use to narrow your investigation to a
few events before moving to a table view page.
few events before moving to a table view page.
Graphs
Workflows based on connection data can include graph pages, also called connection graphs.
For example, a connection graph might display a line graph that shows the number of connections
detected by the system over time. Generally, connection graphs are, like drill-down pages,
intermediate pages that you use to narrow your investigation. For more information, see
detected by the system over time. Generally, connection graphs are, like drill-down pages,
intermediate pages that you use to narrow your investigation. For more information, see
Final Pages
The final page of a workflow depends on the type of event on which the workflow is based:
–
The host view is the final page for workflows based on applications, application details,
discovery events, hosts, indications of compromise (IOC), servers, or any type of
vulnerabilities. Viewing host profiles from this page allows you to easily view data on all IP
addresses associated with hosts that have multiple addresses. For more information, see
discovery events, hosts, indications of compromise (IOC), servers, or any type of
vulnerabilities. Viewing host profiles from this page allows you to easily view data on all IP
addresses associated with hosts that have multiple addresses. For more information, see
.
–
The user detail view is the final page for workflows based on users and user activity. For more
information, see
information, see
–
The vulnerability detail view is the final page for workflows based on Cisco vulnerabilities. For
more information, see
more information, see
–
The packet view is the final page for workflows based on intrusion events. For more
information, see
information, see
.
Workflows based on other kinds of events (for example, audit log events or malware events) do not
have final pages.
have final pages.
See the following sections for more information on workflows:
•
•
•
•
•
•
•
•
•