Manualsbrain.com
  1. 매뉴얼
  2. 브랜드
  3. Cisco
  4. Cisco Firepower Management Center 4000

Cisco Cisco Firepower Management Center 4000

다운로드
페이지 1844
 
34-22
FireSIGHT System User Guide
 
Chapter 34      Analyzing Malware and File Activity 
  Working with Malware Events
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria, 
keep the following points in mind:
  •
All fields accept negation (
!
).
  •
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the 
records that match all the criteria.
  •
Many fields accept one or more asterisks (
*
) as wild cards.
  •
Specify 
n/a
 in any field to identify events where information is not available for that field; use 
!n/a
 
to identify the events where that field is populated.
  •
Click the add object icon (
) that appears next to a search field to use an object as a search 
criterion.
For detailed information on search syntax, including using objects in searches, see 
.
Special Search Syntax for Malware Events
To supplement the general search syntax listed above, the following table describes some special search 
syntax for malware events.
To search for malware events:
Access: 
Admin/Any Security Analyst 
Step 1
Select 
Analysis > Search
.
The Search page appears.
Step 2
From the 
Table
 drop-down list, select 
Malware Events
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the 
Name
 field.
Table 34-5
Malware Event Special Search Syntax 
Search Criterion
Special Syntax
Sending/Receiving IP
The system returns all events where either the 
Sending IP
 or the 
Receiving IP
 matches the IP 
address you specify.
Event Type
When searching for events with a specific malware event type (see 
), enclose the event type in quotation marks, for example, 
"Scan Completed With 
Detection"
. Otherwise, the system performs a partial match. That is, if you search using the 
same string but do not use quotation marks, the system returns events with the following types:
  •
Scan Completed, No Detections
  •
Scan Completed With Detection
Initiator/Responder 
Continent
The system returns all events where either the 
Initiator Continent
 or the 
Responder Continent
 
matches the continent you specify.
Initiator/Responder 
Country
The system returns all events where either the 
Initiator Country
 or the 
Responder Country
 matches 
the country you specify.
URI or Message
The system performs a partial match, that is, you can search for all or part of the field contents 
without using asterisks.