Cisco Cisco FirePOWER Appliance 7020
16-30
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Searching for Connection and Security Intelligence Data
To search for connection or Security Intelligence data:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
You have two options:
•
To search for connection data, from the
Table
drop-down list, select
Connection Events
.
•
To search for Security Intelligence data, from the
Table
drop-down list, select
Security Intelligence
Events
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields.
See
for information on the fields in the
connection and Security Intelligence events tables.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private.
If you want to use the search as a data restriction for a custom user role, you must save it as a private
search.
search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in your default malware events workflow, constrained by the current time
range.
range.
•
Click
Save
if you are modifying an existing search and want to save your changes.
Files
or
Intrusion Events
associated with the
connection
connection
You cannot use the connection/Security Intelligence events Search page
to search for file, malware, and intrusion events associated with a
connection. For information on viewing these associated events, see
to search for file, malware, and intrusion events associated with a
connection. For information on viewing these associated events, see
and
the
Initiator User
or
URL
for a
connection
The system performs a partial match, that is, you can search for all or part
of the field contents without using asterisks.
of the field contents without using asterisks.
the total
Traffic
(in bytes) or
transport
Protocol
used in
the connection
These columns do not appear in table views. To determine if there is a
protocol or traffic constraint on a connection table view, expand the search
constraints.
protocol or traffic constraint on a connection table view, expand the search
constraints.
TCP Flags
in a NetFlow
connection
Type a list of comma-separated TCP flags to view all connections that
have at least one of those flags (instead of all). You can also select the
have at least one of those flags (instead of all). You can also select the
Only
check box to search for connections that have any of the flags you specify
as their only TCP flag.
as their only TCP flag.
Table 16-8
Connection and Security Intelligence Data Special Search Syntax (continued)
Search Criterion
Special Syntax