Cisco Cisco FirePOWER Appliance 7020
38-59
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Users
The data used to generate the host history is stored in the user history database, which by default stores
10 million user login events. If you do not see any data in the host history for a particular user, either
that user is inactive, or you may need to increase the database limit. For more information, see
10 million user login events. If you do not see any data in the host history for a particular user, either
that user is inactive, or you may need to increase the database limit. For more information, see
To view user details and host history:
Access:
Admin/Any Security Analyst
Step 1
You have two options:
•
In any event view that lists users, click the user icon (
) that appears next to a user identity.
•
In any users workflow, click the Users terminating page.
User details appear.
Searching for Users
License:
FireSIGHT
You can search for specific users. You may want to create searches customized for your network
environment, then save them to reuse later.
environment, then save them to reuse later.
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
For some fields, you can specify
n/a
or
blank
in the field to identify events where information is not
available for that field; use
!n/a
or
!blank
to identify the events where that field is populated.
•
Most fields are case-insensitive.
•
IP addresses may be specified using CIDR notation. For information on entering IPv4 and IPv6
addresses in the FireSIGHT System, see
addresses in the FireSIGHT System, see
.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For detailed information on search syntax, including using objects in searches, see
.
Specific User Search Criteria
For user type, valid search criteria are
ldap
,
pop3
,
imap
, and
aim
; because users are not added to the
database based on SMTP logins, entering
smtp
will not return any results.
To search for users:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.