Cisco Cisco FirePOWER Appliance 7020
16-25
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Working with Connection and Security Intelligence Data Tables
To export connection data:
Access:
Admin/Any Security Analyst
Step 1
Click
Export Data
.
A pop-up window appears, displaying a table view of the data on your graph.
Step 2
Click
Download CSV File
and save the file.
Working with Connection and Security Intelligence Data Tables
License:
feature dependent
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
The FireSIGHT System’s event viewer allows you to view connection data in a table, as well as
manipulate the event view depending on the information relevant to your analysis. Viewing Security
Intelligence events allows you to focus on connections with an identified Security Intelligence
reputation. (Security Intelligence requires a Protection license and is not supported on Series 2 managed
devices or DC500 Defense Centers.) The page you see when you access connection data differs
depending on the workflow, which is simply a series of pages you can use to evaluate events by moving
from a broad to a more focused view.
manipulate the event view depending on the information relevant to your analysis. Viewing Security
Intelligence events allows you to focus on connections with an identified Security Intelligence
reputation. (Security Intelligence requires a Protection license and is not supported on Series 2 managed
devices or DC500 Defense Centers.) The page you see when you access connection data differs
depending on the workflow, which is simply a series of pages you can use to evaluate events by moving
from a broad to a more focused view.
The Cisco-provided Connection Events and Security Intelligence Events workflows provide summary
views of basic connection and detected application information, which you can then use to drill down to
the table view of events.You can also create a custom workflow that displays only the information that
matches your specific needs.
views of basic connection and detected application information, which you can then use to drill down to
the table view of events.You can also create a custom workflow that displays only the information that
matches your specific needs.
Using the event viewer, you can:
•
search for, sort, and constrain events, as well as change the time range for displayed events
•
specify the columns that appear (table view only)
•
view the host profile associated with an IP address, or the user details and host history associated
with a user identity
with a user identity
•
view files (including malware files) and intrusions detected in connections
•
view geolocation information associated with an IP address
•
view the full text of a URL in a connection event
•
view events using different workflow pages within the same workflow
•
view events using a different workflow altogether
•
drill down page-to-page within a workflow, constraining on specific values
•
bookmark the current page and constraints so you can return to the same data (assuming the data
still exists) at a later time
still exists) at a later time
•
create a report template using the current constraints
•
delete events from the database
•
use the IP address context menu to whitelist, blacklist, or obtain additional information about a host
or IP address associated with a connection
or IP address associated with a connection