Cisco Cisco FirePOWER Appliance 7020
38-7
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Understanding Discovery Event Workflows
The Defense Center provides a set of workflows that you can use to analyze the discovery events that
are generated for your network. The workflows are, along with the network map, a key source of
information about your network assets. These workflows contain tables that are populated with
discovery data generated by the system.
are generated for your network. The workflows are, along with the network map, a key source of
information about your network assets. These workflows contain tables that are populated with
discovery data generated by the system.
Access network discovery workflows from the
Analysis > Hosts
menu. The Defense Center provides
predefined workflows for discovery events, as well as for detected hosts and their host attributes, servers,
applications, application details, vulnerabilities, user activities, and users. You can also create custom
workflows. For more information on workflows, see
applications, application details, vulnerabilities, user activities, and users. You can also create custom
workflows. For more information on workflows, see
.
Tip
Select
Analysis > Custom > Custom Tables
to access workflows based on custom tables.
When you are using a network discovery workflow, you can perform many common actions, whatever
the type of event. These common functions are described in the
the type of event. These common functions are described in the
Table 38-1
Common Discovery Event Actions
To...
You can...
view the host profile for an IP address
click the host profile icon (
) or, for hosts with active indications of
compromise (IOC) tags, the compromised host icon (
) that appears next
to the IP address. For information on IOC, see
view user profile information
click the user icon (
) that appears next to the user identity. For more
information, see
.
sort data
click the column title. Click the column title again to reverse the sort order.
drill down to the next page in the workflow
use one of the following methods:
•
To drill down to the next workflow page constraining on a specific
value, click a value within a row. Note that this only works on
drill-down pages. Clicking a value within a row in a table view only
constrains the table view and does not drill down to the next page.
value, click a value within a row. Note that this only works on
drill-down pages. Clicking a value within a row in a table view only
constrains the table view and does not drill down to the next page.
•
To drill down to the next workflow page constraining on some events,
select the check boxes next to the events you want to view on the next
workflow page, then click
select the check boxes next to the events you want to view on the next
workflow page, then click
View
.
•
To drill down to the next workflow page keeping the current constraints,
click
click
View All
.
Tip
Table views always include “Table View” in the page name.
For more information, see
.
constrain the columns that appear
click the close icon (
) in the column heading that you want to hide. In the
pop-up window that appears, click
Apply
.
Tip
To hide or show other columns, Select or clear the appropriate check
boxes before you click
boxes before you click
Apply
. To add a disabled column back to the
view, click the expand arrow to expand the search constraints, then
click the column name under Disabled Columns.
click the column name under Disabled Columns.
navigate within the current workflow page
find more information in
navigate between pages in the current
workflow, keeping the current constraints
workflow, keeping the current constraints
click the appropriate page link at the top left of the workflow page. For more
information, see
information, see