для Cisco Cisco Firepower Management Center 4000
47-37
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Using Workflows
•
correlation events
•
white list events
This feature enhances your ability to investigate suspicious activity. For example, if you are viewing
connection data and notice that an internal host is transmitting an abnormally large amount of data to an
external site, you can select the responder IP address and the port as constraints and then jump to the
connection data and notice that an internal host is transmitting an abnormally large amount of data to an
external site, you can select the responder IP address and the port as constraints and then jump to the
Applications
workflow. The applications workflow will use the responder IP address and port as IP
Address and Port constraints and display additional information about the application, such as what kind
of application it is. You can also click
of application it is. You can also click
Hosts
at the top of the page to view the host profile for the remote
host.
After finding more information about the application, you can select
Correlation Events
to return to the
connection data workflow, remove the Responder IP from the constraints, add the Initiator IP to
constraints, and select
constraints, and select
Application Details
to see what client the user on the initiating host used when
transferring data to the remote host. Note that the Port constraint is not transferred to the Application
Details page. While keeping the local host as a constraint, you can also use other navigation buttons to
find additional information:
Details page. While keeping the local host as a constraint, you can also use other navigation buttons to
find additional information:
•
To discover if any policies have been violated by the local host, keep the IP address as a constraint
and select
and select
Correlation Events
from the
Jump to
drop-down list.
•
To find out if an intrusion rule triggered against the host, indicating a compromise, select
Intrusion
Events
from the
Jump to
drop-down list.
•
To view the host profile for the local host and determine if the host is susceptible to any
vulnerabilities that may have been exploited, select
vulnerabilities that may have been exploited, select
Hosts
from the
Jump to
drop-down list.
Using Bookmarks
License:
Any
Create a bookmark if you want to return quickly to a specific location and time in an event analysis.
Bookmarks retain information about:
Bookmarks retain information about:
•
the workflow you are using
•
the part of the workflow you are viewing
•
the page number within the workflow
•
any search constraints
•
any disabled columns
•
the time range you are using
The bookmarks you create are available to all user accounts with bookmark access. This means that if
you uncover a set of events that require more in-depth analysis, you can easily create a bookmark and
turn over the investigation to another user with the appropriate privileges.
you uncover a set of events that require more in-depth analysis, you can easily create a bookmark and
turn over the investigation to another user with the appropriate privileges.
Note
If the events that appear in a bookmark are deleted (either directly by a user or by automatic database
cleanup), the bookmark no longer displays the original set of events.
cleanup), the bookmark no longer displays the original set of events.
See these sections for more information about using bookmarks:
•
describes how to create a new bookmark.
•
describes how to view and use existing bookmarks.
•
describes how to delete bookmarks.