Cisco Cisco Firepower Management Center 2000
4-38
FireSIGHT System User Guide
Chapter 4 Using the Context Explorer
Working with Filters in the Context Explorer
Because you may want to configure multiple filters before you apply them, and because the Context
Explorer may take time to fully reload all sections, filters that you add are not automatically applied. To
apply filters, you must click
Explorer may take time to fully reload all sections, filters that you add are not automatically applied. To
apply filters, you must click
Apply Filters
. Filters that are configured, but not yet applied, appear faded.
You can have up to 20 filters at a time, and you can delete individual filters by clicking the delete icon
(
(
) on the filter’s widget. If you want to delete all filters at once, you can click the
Clear
button.
Note that some filter types are incompatible with others: for example, filters that relate to intrusion
events (such as
events (such as
Device
and
Inline Result
) cannot be applied at the same time as connection event-related
filters (such as
Access Control Action
) because the system cannot sort connection event data by intrusion
event data. The system automatically prevents incompatible filters from simultaneously applying; when
one filter type is more recently activated, filters of the incompatible type are hidden as long as the
incompatibility exists.
one filter type is more recently activated, filters of the incompatible type are hidden as long as the
incompatibility exists.
Note that the data displayed depends on such factors as how you license and deploy your managed
devices, whether you configure features that provide the data and, in the case of Series 2 appliances,
whether the appliance supports a feature that provides the data. For example, because neither the DC500
Defense Center nor Series 2 devices support URL filtering by category and reputation, the DC500
Defense Center does not display data for this feature and Series 2 devices do not detect this data.
devices, whether you configure features that provide the data and, in the case of Series 2 appliances,
whether the appliance supports a feature that provides the data. For example, because neither the DC500
Defense Center nor Series 2 devices support URL filtering by category and reputation, the DC500
Defense Center does not display data for this feature and Series 2 devices do not detect this data.
To create a new filter from the Add Filter window:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Context Explorer
.
The Context Explorer appears.
Step 2
Under
Filters
at the top right, click the plus icon (
).
The Add Filter pop-up window appears.
Step 3
From the
Data Type
drop-down list, select the data type you want to filter on.
The Filter field populates with example values for that data type.
Step 4
In the
Filter
field, type the data type value you want to filter on.
Step 5
Click
OK
.
Your filter is added. The Context Explorer reappears and a corresponding filter widget appears.
Step 6
Optionally, repeat the previous steps to add more filters until you have the filter set you need. Note that
because the Context Explorer does not automatically refresh, your filters are not applied when you add
them.
because the Context Explorer does not automatically refresh, your filters are not applied when you add
them.
Step 7
Click
Apply Filters
.
Your filters are applied and the Context Explorer refreshes to reflect the filtered data.
To delete a filter:
Access:
Admin/Any Security Analyst
Step 1
Click the delete icon (
) on any filter widget.
The filter is deleted.