Cisco Cisco Firepower Management Center 4000
38-62
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with User Activity
You can view a table of user activity, and then manipulate the event view depending on the information
you are looking for.
you are looking for.
The page you see when you access user activity differs depending on the workflow you use. You can use
the predefined workflow, which includes the table view of user activity and terminates in a user details
page, which contains user details for every user that meets your constraints. You can also create a custom
workflow that displays only the information that matches your specific needs. For information on
creating a custom workflow, see
the predefined workflow, which includes the table view of user activity and terminates in a user details
page, which contains user details for every user that meets your constraints. You can also create a custom
workflow that displays only the information that matches your specific needs. For information on
creating a custom workflow, see
.
For more information about the contents of the columns in the table, see
.The following table, see describes some of the specific actions you can perform on an
user activity workflow page. You can also perform the actions in the
table.
To view user activity:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Users > User Activity
.
The first page of the default user activity workflow appears. To use a different workflow, including a
custom workflow, click
custom workflow, click
(switch workflow)
. For information on specifying a different default workflow, see
. If no events appear, you may need to adjust the time range;
Tip
If you are using a custom workflow that does not include the table view of user activity, click
(switch
workflow)
, then select
User Activity
.
Understanding the User Activity Table
License:
FireSIGHT
When the system detects user activity, it is logged to the database. Descriptions of the fields in the users
table follow.
table follow.
Time
The time that the system detected the user activity.
Event
The user activity type. For more information, see
.
User
The user associated with the activity. At a minimum, this field contains a username and the protocol
used to detect the user. If there is LDAP metadata on the user, this field may also contain the first
name and last name of the user.
used to detect the user. If there is LDAP metadata on the user, this field may also contain the first
name and last name of the user.
User Type
The protocol used to detect the user. For example, for users added to the database when the system
detects a POP3 login, the user type is
detects a POP3 login, the user type is
pop3
.