Cisco Cisco FirePOWER Appliance 7050
38-24
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Hosts
You can search for specific discovery events. You may want to create searches customized for your
network environment, then save them to reuse later.
network environment, then save them to reuse later.
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
For some fields, you can specify
n/a
or
blank
in the field to identify events where information is not
available for that field; use
!n/a
or
!blank
to identify the events where that field is populated.
•
Most fields are case-insensitive.
•
IP addresses may be specified using CIDR notation. For information on entering IP addresses in the
FireSIGHT System, see
FireSIGHT System, see
Note
When you search for hosts by IP address, the results include all hosts for which at least one
IP address matches your search conditions, that is, a search for an IPv6 address may return
hosts whose primary address is IPv4.
IP address matches your search conditions, that is, a search for an IPv6 address may return
hosts whose primary address is IPv4.
•
When you search hosts by IP address,
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For detailed information on search syntax, including using objects in searches, see
.
Special Search Syntax for Hosts
The following table notes search information specific to particular host fields. For more information on
host fields, see
host fields, see
Table 38-5
Host Search Criteria
Field
Search Criteria Notes
Host Type
To search for all network devices, type
!host
.
MAC Vendor
To search for virtual MAC vendors, that is, for events that involve virtual machines, type
virtual_mac_vendor
.
To search for a vendor whose name includes a comma, enclose the entire search term in quotes.
Otherwise, the Defense Center treats the term as two searches and returns events that match each
search term.
Otherwise, the Defense Center treats the term as two searches and returns events that match each
search term.
OS
Vendor/Name/Version
Vendor/Name/Version
Type
unknown
to search for hosts where the operating system is unknown. Type
n/a
to search for
hosts where the operating system has not yet been identified.