Cisco Cisco FirePOWER Appliance 7020
47-7
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Components of a Workflow
For information on accessing captured files, see
.
Predefined Connection Data Workflows
License:
FireSIGHT
The following table describes the predefined connection data workflows included on the Defense Center.
All the predefined connection data workflows use the table view of connection data. For information on
accessing connection data, see
All the predefined connection data workflows use the table view of connection data. For information on
accessing connection data, see
.
Table 47-4
Predefined Captured File Workflows
Workflow Name
Description
Captured File Summary
This workflow provides a breakdown of captured files based on type, category, and threat score.
Dynamic Analysis Status
This workflow provides a count of captured files based on whether they have been submitted for
dynamic analysis.
dynamic analysis.
Table 47-5
Predefined Connection Data Workflows
Workflow Name
Description
Connection Events
This workflow provides a summary view of basic connection and detected application
information, which you can then use to drill down to the table view of events.
information, which you can then use to drill down to the table view of events.
Connections by
Application
Application
This workflow contains a graph of the 10 most active applications on the monitored network
segment, based on the number of detected connections.
segment, based on the number of detected connections.
Connections by Initiator
This workflow contains a graph of the 10 most active host IP addresses on the monitored
network segment, based on the number of connections where the host initiated the connection
transaction.
network segment, based on the number of connections where the host initiated the connection
transaction.
Connections by Port
This workflow contains a graph of the 10 most active ports on the monitored network segment,
based on the number of detected connections.
based on the number of detected connections.
Connections by Responder This workflow contains a graph of the 10 most active host IP addresses on the monitored
network segment, based on the number of connections where the host IP was the responder in
the connection transaction.
the connection transaction.
Connections over Time
This workflow contains a graph of the total number of connections on the monitored network
segment over time.
segment over time.
Traffic by Application
This workflow contains a graph of the 10 most active applications on the monitored network
segment, based on the number of kilobytes transmitted.
segment, based on the number of kilobytes transmitted.
Traffic by Initiator
This workflow contains a graph of the 10 most active host IP addresses on the monitored
network segment, based on the total number of kilobytes transmitted from each address.
network segment, based on the total number of kilobytes transmitted from each address.
Traffic by Port
This workflow contains a graph of the 10 most active ports on the monitored network segment,
based on the number of kilobytes transmitted.
based on the number of kilobytes transmitted.
Traffic by Responder
This workflow contains a graph of the 10 most active host IP addresses on the monitored
network segment, based on the total number of kilobytes received by each address.
network segment, based on the total number of kilobytes received by each address.
Traffic over Time
This workflow contains a graph of the total kilobytes transmitted on the monitored network
segment over time.
segment over time.