Cisco Cisco FirePOWER Appliance 7020
38-42
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Application Details
Step 4
Enter your search criteria in the appropriate fields. If you enter multiple criteria, the Defense Center
returns only the records that match all the criteria. Click the add icon (
returns only the records that match all the criteria. Click the add icon (
) that appears next to a search
field to use an object as a search criterion.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search so that only you can use it.
Tip
If you want to save a search as a restriction for custom user roles with restricted privileges, you must
save it as a private search.
save it as a private search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in the default clients workflow. To use a different workflow, including a
custom workflow, click
custom workflow, click
(switch workflow)
. For information on specifying a different default
workflow, see
.
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
), so that you can run it at a later time.
Working with Application Details
License:
FireSIGHT
When a monitored host connects to another host, the system can, in many cases, determine what
application was used. The FireSIGHT System detects the use of many email, instant messaging, peer to
peer, web applications, as well as other types of applications.
application was used. The FireSIGHT System detects the use of many email, instant messaging, peer to
peer, web applications, as well as other types of applications.
For each detected application, the system logs the IP address that used the application, the product, the
version, and the number of times its use was detected. You can use the web interface to view, search, and
delete application events. You can also update application data on a host or hosts using the host input
feature.
version, and the number of times its use was detected. You can use the web interface to view, search, and
delete application events. You can also update application data on a host or hosts using the host input
feature.
If you know which applications are running on which hosts, you can use that knowledge to create host
profile qualifications, which constrain the data you collect while building a traffic profile, and also can
limit the conditions under which you want to trigger a correlation rule. You can also base correlation
rules on the detection of application. For example, if you want your employees to use a specific mail
client, you could trigger a correlation rule when the system detects a different mail client running on one
of your hosts.
profile qualifications, which constrain the data you collect while building a traffic profile, and also can
limit the conditions under which you want to trigger a correlation rule. You can also base correlation
rules on the detection of application. For example, if you want your employees to use a specific mail
client, you could trigger a correlation rule when the system detects a different mail client running on one
of your hosts.
You should carefully read the release notes for each FireSIGHT System update as well as the advisories
for each VDB update for information on updated detectors.
for each VDB update for information on updated detectors.
To collect and store application data for analysis, make sure that you enable application detection in your
network discovery policy. For more information, see
network discovery policy. For more information, see
.
See the following sections for more information:
•
•
•