Cisco Cisco FirePOWER Appliance 7020
16-29
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Searching for Connection and Security Intelligence Data
Also, keep in mind that your search results depend on the available data in the events you are searching.
In other words, depending on the available data, your search constraints may not apply. See
In other words, depending on the available data, your search constraints may not apply. See
for information on when data is
available for each connection data field.
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
Specify
n/a
in any field to identify events where information is not available for that field; use
!n/a
to identify the events where that field is populated.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For detailed information on search syntax, including using objects in searches, see
.
Special Search Syntax for Connection and Security Intelligence Data
To supplement the general search syntax listed above, the following table describes some special search
syntax for connection and Security Intelligence data.
syntax for connection and Security Intelligence data.
Table 16-8
Connection and Security Intelligence Data Special Search Syntax
Search Criterion
Special Syntax
a Monitor rule matched by
the connection
the connection
Use the
Access Control Rule
criterion to search for connections that matched
individual Monitor rules.
Because traffic matching a Monitor rule is always later handled by
another rule or by the default action, you cannot search for a connection
with an action of
another rule or by the default action, you cannot search for a connection
with an action of
Monitor
. Searching for the name of a Monitor rule
returns all connections that matched that Monitor rule, regardless of the
rule or default action that later handled the connection.
rule or default action that later handled the connection.
a criterion with a
numerical value (
numerical value (
Bytes
,
Packets
,
Connections
)
You can precede the number with greater than (
>
), greater than or equal to
(
>=
), less than (
<
), less than or equal to (
<=
), or equal to (
=
).
Tip
To view meaningful results for searches using the
Connections
criterion, you must use a custom workflow that has a connection
summary page.
summary page.