Cisco Cisco Firepower Management Center 2000
38-64
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with User Activity
To search for user activity:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Tables
drop-down menu, select
User Activity
.
The User Activity search page appears.
Tip
To search the database for a different kind of event, select it from the
Table
drop-down list.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields. If you enter multiple criteria, the search returns only
the records that match all the criteria. Click the add icon (
the records that match all the criteria. Click the add icon (
) that appears next to a search field to use
an object as a search criterion.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private.
Tip
If you want to save a search as a restriction for custom user roles with restricted privileges, you must
save it as a private search.
save it as a private search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in the default user activity workflow, constrained by the current time
range. To use a different workflow, including a custom workflow, click
range. To use a different workflow, including a custom workflow, click
(switch workflow)
. For
information on specifying a different default workflow, see
.
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
), so that you can run it at a later time.