Cisco Cisco FirePOWER Appliance 8140
47-19
FireSIGHT System User Guide
Chapter 47 Understanding and Using Workflows
Using Workflows
Table 47-22
Table View and Drill-Down Page Features
Feature
Description
Click the blue down-arrow icon to display the corresponding row in the next page of the
workflow.
workflow.
(clean)
(malware)
(custom detection)
(unknown)
(unavailable)
Click the network file trajectory icon, which appears in file name and SHA-256 hash value
columns, to view the file’s trajectory map in a new window. For more information, see
columns, to view the file’s trajectory map in a new window. For more information, see
Note that because neither the DC500 Defense Center nor Series 2 devices support
network-based malware protection, you cannot view network file trajectory for network-based
malware and file events on these appliances.
network-based malware protection, you cannot view network file trajectory for network-based
malware and file events on these appliances.
(potentially
compromised)
(blacklisted)
(blacklisted, set to
monitor)
Click the host profile icon, which appears in IP address columns, to display the host profile
associated with that IP address in a pop-up window. For more information, see
associated with that IP address in a pop-up window. For more information, see
.
Hosts that have been tagged as potentially compromised by triggered indications of compromise
(IOC) rules appear with the compromised host icon instead of the usual icon. For more
information on IOC, see
(IOC) rules appear with the compromised host icon instead of the usual icon. For more
information on IOC, see
If the host profile icon is grayed out, you cannot view the host profile because that host cannot
be in the network map (for example,
be in the network map (for example,
0.0.0.0
).
If you are performing traffic filtering based on Security Intelligence data, host icons next to
blacklisted and monitored IP addresses in the connection event view look slightly different. This
helps you identify which host in a connection was blacklisted. Note that neither the DC500
Defense Center nor Series 2 devices support Security Intelligence data.
blacklisted and monitored IP addresses in the connection event view look slightly different. This
helps you identify which host in a connection was blacklisted. Note that neither the DC500
Defense Center nor Series 2 devices support Security Intelligence data.
(Low threat score)
(Medium threat
score)
(High threat score)
(Very High threat
score)
Click the threat score icon, which appears in threat score columns, to view the Dynamic
Analysis Summary report for the highest threat score associated with a file.
Analysis Summary report for the highest threat score associated with a file.
Note that because neither the DC500 Defense Center nor Series 2 devices support
network-based malware protection, you cannot view the Dynamic Analysis Summary report on
these appliances.
network-based malware protection, you cannot view the Dynamic Analysis Summary report on
these appliances.
Click the user icon, which appears in user identity columns, to view user profile information.
For more information, see
For more information, see
If the user icon is grayed out, you cannot view the user profile because that user cannot be in the
database (FireAMP Connector user).
database (FireAMP Connector user).
Click the vulnerability icon, which appears in third-party vulnerability ID columns, to view
vulnerability details for third-party vulnerabilities. For more information, see
vulnerability details for third-party vulnerabilities. For more information, see
.
Check boxes
Select the check boxes by two or more rows on a page to indicate which rows you want to affect,
then click one of the buttons at the bottom of the page (for example, the
then click one of the buttons at the bottom of the page (for example, the
View
button). You can
also select the check box at the top of the row to select all the rows on the page.