understanding and using workflows - cisco · understanding and using workflows a workflow is a...

C H A P T E R 58
Understanding and Using Workflows
A workflow is a tailored series of data pages on the Defense Center web interface that analysts can use to evaluate events generated by the system. The Defense Center provides three types of workflows:

• Predefined workflows, which are preset workflows installed on the system that you cannot modify or delete.

• Saved custom workflows, which are predefined custom workflows that you can modify or delete.

• Custom workflows, which are workflows that you create and customize for your specific needs.

For example, when you analyze intrusion events, you can choose from several predefined workflows specifically created for the task.

Note that the data displayed in a workflow often depends on such factors as how you license and deploy your managed devices, whether you configure features that provide the data and, in the case of Series 2 appliances and Cisco NGIPS for Blue Coat X-Series, whether the appliance supports a feature that provides the data. For example, because neither the DC500 Defense Center nor Series 2 devices support URL filtering by category and reputation, the DC500 Defense Center does not display data for this feature and Series 2 devices do not detect this data.

See the following sections for more information about using predefined and custom workflows:

• Components of a Workflow, page 58-1

• Using Workflows, page 58-15

• Using Custom Workflows, page 58-39

Tip You can also use custom workflows as the basis for event reports. See Working with Reports, page 57-1 for more information.

Components of a WorkflowLicense: Any

Workflows can include several types of pages, as described in the following sections.

Table Views

Table views include a column for each of the fields in the database on which your workflow is based.

For example, the table view of discovery events includes the Time, Event, IP Address, User, MAC Address, MAC Vendor, Port, Description, and Device columns.

58-1FireSIGHT System User Guide

Chapter 58 Understanding and Using Workflows Components of a Workflow

By contrast, the table view of servers includes the Last Used, IP Address, Port, Protocol, Application Protocol, Vendor, Version, Web Application, Application Risk, Business Relevance, Hits, Source Type, Device, and Current User columns.

Drill-Down Pages

Drill-down pages contain a subset of columns that are available in the database.

For example, a drill-down page for discovery events might include only the IP Address, MAC Address, and Time columns. A drill-down page for intrusion events, on the other hand, might include the Priority, Impact Flag, Inline Result, and Message columns.

Generally, drill-down pages are intermediate pages that you use to narrow your investigation to a few events before moving to a table view page.

Graphs

Workflows based on connection data can include graph pages, also called connection graphs.

For example, a connection graph might display a line graph that shows the number of connections detected by the system over time. Generally, connection graphs are, like drill-down pages, intermediate pages that you use to narrow your investigation. For more information, see Working with Connection Graphs, page 39-15.

Final Pages

The final page of a workflow depends on the type of event on which the workflow is based:

– The host view is the final page for workflows based on applications, application details, discovery events, hosts, indications of compromise (IOC), servers, or any type of vulnerabilities. Viewing host profiles from this page allows you to easily view data on all IP addresses associated with hosts that have multiple addresses. For more information, see Using Host Profiles, page 49-1.

– The user detail view is the final page for workflows based on users and user activity. For more information, see Understanding User Details and Host History, page 50-62.

– The vulnerability detail view is the final page for workflows based on Cisco vulnerabilities. For more information, see Viewing Vulnerability Details, page 49-27.

– The packet view is the final page for workflows based on intrusion events. For more information, see Using the Packet View, page 41-22.

Workflows based on other kinds of events (for example, audit log events or malware events) do not have final pages.

See the following sections for more information on workflows:

• Comparing Predefined and Custom Workflows, page 58-3

• Comparing Workflows for Predefined and Custom Tables, page 58-3

• Predefined Intrusion Event Workflows, page 58-4

• Predefined Malware Workflows, page 58-5

• Predefined File Workflows, page 58-6

• Predefined Captured File Workflows, page 58-6

• Predefined Connection Data Workflows, page 58-7

• Predefined Security Intelligence Workflows, page 58-8

• Predefined Host Workflows, page 58-8



• Predefined Indications of Compromise Workflows, page 58-9

• Predefined Applications Workflows, page 58-9

• Predefined Application Details Workflows, page 58-10

• Predefined Servers Workflows, page 58-11

• Predefined Host Attributes Workflows, page 58-11

• Predefined Discovery Events Workflows, page 58-11

• Predefined User Workflows, page 58-12

• Predefined Vulnerabilities Workflows, page 58-12

• Predefined Third-Party Vulnerabilities Workflows, page 58-12

• Predefined Correlation and White List Workflows, page 58-13

• Predefined System Workflows, page 58-13

• Saved Custom Workflows, page 58-14

Comparing Predefined and Custom WorkflowsLicense: Any

The FireSIGHT System is delivered with a set of predefined workflows (described in the sections that follow) that you can use to analyze the events and other data it collects.

Custom workflows are workflows that you create to meet the unique needs of your organization. When you create a custom workflow, you choose the kind of event (or database table) on which the workflow is based. On the Defense Center, you can base a custom workflow on a custom table. You can also choose the pages a custom workflow contains; custom workflows can contain drill-down, table view, and host or packet view pages.

The Defense Center is delivered with several saved custom workflows, which are based on the saved custom tables that are also delivered with the Defense Center. The differences between workflows based on predefined and custom tables is described in the next section, Comparing Workflows for Predefined and Custom Tables.

Comparing Workflows for Predefined and Custom TablesLicense: FireSIGHT

You can use the custom tables feature to create tables that use the data from two or more types of events. This is useful because you can, for example, create tables and workflows that correlate intrusion event data with discovery data to allow simple searches for events that affect critical systems. See Using Custom Tables, page 59-1 for information about creating custom tables.

Each custom table has, by default, a workflow that you can use to view the events associated with the table. The features in the workflow differ depending on which type of table you use. For example, custom table workflows based on the intrusion event table always end with the packet view. However, custom table workflows based on discovery events end with the host view.

Unlike workflows based on the predefined event tables, workflows based on custom tables do not have links to other types of workflows.



Predefined Intrusion Event WorkflowsLicense: Protection

The following table describes the predefined intrusion event workflows included with the FireSIGHT System. For information on accessing these workflows, see Viewing Intrusion Events, page 41-9 and Reviewing Intrusion Events, page 41-16.

:Table 58-1 Predefined Intrusion Event Workflows

Workflow Name Description

Destination Port Because destination ports are usually tied to an application, this workflow can help you detect applications that are experiencing an uncommonly high volume of alerts. The Destination Port column can also help you identify applications that should not be present on your network.

This workflow begins with a page showing the destination ports associated with the intrusion events, followed by a page showing the event types that were generated. You can then see a tabular view of event information, called the table view of events, followed by a packet view that shows the decoded contents of the packets associated with each event.

Event-Specific This workflow provides two useful features. Events that occur frequently may indicate:

• false positives

• a worm

• a badly misconfigured network

Events that occur infrequently are most likely evidence of a targeted attack and warrant special attention.

This workflow begins with a page showing the event types that were generated. You can then view a page with two tables, one listing the source IP addresses associated with the events, the other showing the destination IP addresses associated with the events. The last pages in the workflow are the table view of events and the packet view.

Events by Priority and Classification

This workflow lists events and their type in order of event priority, along with a count showing how many times each event has occurred.

This workflow begins with a drill-down page that contains the priority level, classification and count of each listed event. The last pages in the workflow are the table view of events and the packet view.

Events to Destinations

This workflow provides a high-level view of which host IP addresses are being attacked and the nature of the attack; where available, you can also see information about the countries involved in attacks.

This workflow begins with a page of paired event types and destination IP addresses that you can use to investigate what types of events are directed towards specific IP addresses. The last pages in the workflow are the table view of events and the packet view.

IP-Specific This workflow shows which host IP addresses are generating the most alerts. Hosts with the greatest number of events are either public-facing and receiving worm-type traffic (indicating a good place to look for tuning) or require further investigation to determine the cause of the alerts. Hosts with the lowest counts also warrant investigation as they could be the subject of a targeted attack. Low counts may also indicate that a host may not belong on the network.

This workflow begins with a page showing two tables, one each for the source and destination IP addresses that are associated with the events. The next page shows the event types that were generated. The last pages in the workflow are the table view of events and the packet view.



Predefined Malware WorkflowsLicense: Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

The following table describes the predefined malware workflows included on the Defense Center. All predefined malware workflows use the table view of malware events.

Impact and Priority This workflow lets you find high-impact recurring events quickly. The reported impact level is shown with the number of times the event has occurred. Using this information, you can identify the high-impact events that recur most often, which might be an indicator of a widespread attack on your network.

This workflow begins with a page showing the impact level, priority, and count associated with each event. Next, a drill-down page appears with the source and destination IP addresses for each event. Events on the second page are sorted by count. The last pages in the workflow are the table view of events and the packet view.

Impact and Source This workflow can help you identify the source of an attack in progress. The reported impact level is shown with the associated source IP address for the event. If, for example, events with a level 1 impact are coming from the same source IP address repeatedly, they may indicate an attacker who has identified vulnerable systems and is targeting them.

This workflow begins with a page showing the impact level, source IP address, priority, and count associated with each event. Within each event level, events are sorted by count, then priority. Next, a drill-down page appears with the source and destination IP addresses for each event. Events on the second page are sorted by count. The last pages in the workflow are the table view of events and the packet view.

Impact to Destination You can use this workflow to identify events repeatedly occurring on vulnerable computers, so you can address the vulnerabilities on those systems and stop any attacks in progress.

This workflow begins with a page showing the impact level, inline result (whether the packet was or would have been dropped), destination IP address, priority, and count associated with each event. Within each event level, events are sorted by count, then priority. Next, a drill-down page appears with the source and destination IP addresses for each event. Events on the second page are sorted by count. The last pages in the workflow are the table view of events and the packet view.

Source Port This workflow indicates which servers are generating the most alerts. You can use this information to identify areas that require tuning, and to decide which servers require attention.

This workflow begins with a page showing the source ports associated with the intrusion events, followed by a page showing the types of events that were generated. The last pages in the workflow are the table view of events and the packet view.

Source and Destination

This workflow identifies host IP addresses sharing high levels of alerts. Pairs at the top of the list could be false positives, and may identify areas that require tuning. You can check pairs at the bottom of the list for targeted attacks, for users accessing resources they should not be accessing, or for hosts that do not belong on the network.

This workflow begins with a page showing the source and destination IP addresses for each event, followed by a page showing the types of events that were generated. The last pages in the workflow are the table view of events and the packet view.

Table 58-1 Predefined Intrusion Event Workflows (continued)




Note that because the DC500 Series 2 Defense Center, Series 2 devices, and Cisco NGIPS for Blue Coat X-Series do not support advanced malware protection, the DC500 Defense Center does not display data for this feature and Series 2 devices and Cisco NGIPS for Blue Coat X-Series do not detect this data.

For information on accessing malware events, see Working with Malware Events, page 40-16.

Predefined File WorkflowsLicense: Protection

The following table describes the predefined file event workflows included on the Defense Center. All the predefined file event workflows use the table view of file events. For information on accessing file events, see Working with File Events, page 40-7.

Predefined Captured File WorkflowsLicense: Malware


Supported Defense Centers: feature dependent

The following table describes the predefined captured file workflows included on the Defense Center. All predefined captured file workflows use the table view of captured files.

Note that because the DC500 Series 2 Defense Center, Series 2 devices, and Cisco NGIPS for Blue Coat X-Series do not support advanced malware protection, the DC500 Defense Center does not display data for this feature and Series 2 devices and Cisco NGIPS for Blue Coat X-Series do not detect this data.

Table 58-2 Predefined Malware Workflows


Malware Summary This workflow provides a list of the malware detected in network traffic or by endpoint-based FireAMP Connectors, grouped by individual threat.

Malware Event Summary This workflow provides a quick breakdown of the different malware event types and subtypes.

Hosts Receiving Malware This workflow provides a list of host IP addresses that have received malware, grouped by the malware files’ associated dispositions.

Hosts Sending Malware This workflow provides a list of host IP addresses that have sent malware, grouped by the malware files’ associated dispositions.

Applications Introducing Malware

This workflow provides a list of host IP addresses that have received files, grouped by the associated malware dispositions for those files.

Table 58-3 Predefined File Workflows


File Summary This workflow provides a quick breakdown of the different file event categories and types, along with any associated malware dispositions.

Hosts Receiving Files This workflow provides a list of host IP addresses that have received files, grouped by the associated malware dispositions for those files.

Hosts Sending Files This workflow provides a list of host IP addresses that have sent files, grouped by the associated malware dispositions for those files.



For information on accessing captured files, see Working with Captured Files, page 40-29.

Predefined Connection Data WorkflowsLicense: FireSIGHT

The following table describes the predefined connection data workflows included on the Defense Center. All the predefined connection data workflows use the table view of connection data. For information on accessing connection data, see Viewing Connection and Security Intelligence Data, page 39-14.

Table 58-4 Predefined Captured File Workflows


Captured File Summary This workflow provides a breakdown of captured files based on type, category, and threat score.

Dynamic Analysis Status This workflow provides a count of captured files based on whether they have been submitted for dynamic analysis.

Table 58-5 Predefined Connection Data Workflows


Connection Events This workflow provides a summary view of basic connection and detected application information, which you can then use to drill down to the table view of events.

Connections by Application

This workflow contains a graph of the 10 most active applications on the monitored network segment, based on the number of detected connections.

Connections by Initiator This workflow contains a graph of the 10 most active host IP addresses on the monitored network segment, based on the number of connections where the host initiated the connection transaction.

Connections by Port This workflow contains a graph of the 10 most active ports on the monitored network segment, based on the number of detected connections.

Connections by Responder This workflow contains a graph of the 10 most active host IP addresses on the monitored network segment, based on the number of connections where the host IP was the responder in the connection transaction.

Connections over Time This workflow contains a graph of the total number of connections on the monitored network segment over time.

Traffic by Application This workflow contains a graph of the 10 most active applications on the monitored network segment, based on the number of kilobytes transmitted.

Traffic by Initiator This workflow contains a graph of the 10 most active host IP addresses on the monitored network segment, based on the total number of kilobytes transmitted from each address.

Traffic by Port This workflow contains a graph of the 10 most active ports on the monitored network segment, based on the number of kilobytes transmitted.

Traffic by Responder This workflow contains a graph of the 10 most active host IP addresses on the monitored network segment, based on the total number of kilobytes received by each address.

Traffic over Time This workflow contains a graph of the total kilobytes transmitted on the monitored network segment over time.



Predefined Security Intelligence WorkflowsLicense: Protection

Supported Devices: Any except Series 2

Supported Defense Centers: Any except DC500

The following table describes the predefined Security Intelligence workflows included on the Defense Center. All the predefined Security Intelligence workflows use the table view of Security Intelligence events. For more information on accessing Security Intelligence event data, see Viewing Connection and Security Intelligence Data, page 39-14.

Predefined Host WorkflowsLicense: FireSIGHT

The following table describes the predefined workflows that you can use with host data.

Unique Initiators by Responder

This workflow contains a graph of the 10 most active responding host IP addresses on the monitored network segment, based on the number of unique initiators that contacted each address.

Unique Responders by Initiator

This workflow contains a graph of the 10 most active initiating host IP addresses on the monitored network segment, based on the number of unique responders that the addresses contacted.

Table 58-5 Predefined Connection Data Workflows (continued)


Table 58-6 Predefined Security Intelligence Workflows


Security Intelligence Events

This workflow provides a summary view of basic Security Intelligence and detected application information, which you can then use to drill down to the table view of events.

Security Intelligence Summary

This workflow is identical to the Security Intelligence Events workflow, but begins with the Security Intelligence Summary page, which lists security intelligence events by category and count only.



Predefined Indications of Compromise WorkflowsLicense: FireSIGHT

The following table describes the predefined workflows that you can use with IOC (Indications of Compromise) data.

Predefined Applications WorkflowsLicense: FireSIGHT

The following table describes the predefined workflows that you can use with application data.

Table 58-7 Predefined Host Workflows


Hosts This workflow contains a table view of hosts followed by the host view. Workflow views based on the Hosts table allow you to easily view data on all IP addresses associated with a host. See Viewing Hosts, page 50-19 for more information.

Operating System Summary

You can use this workflow to analyze the operating systems in use on your network. This workflow provides a series of pages that start with a list of the operating systems and operating system vendors on your network, continuing with the number of hosts running each version of that operating system. The next page lists hosts by criticality, IP address, and NetBIOS name, with their associated operating systems and operating system vendors. The workflow finishes with a table view of hosts, followed by the host view. See Viewing Hosts, page 50-19 for more information.

Table 58-8 Predefined Indications of Compromise Workflows


Indications of Compromise This workflow begins with a summary view of IOC data grouped by count and category, followed by a detail view that further subdivides the summary data by event type. Next is a full table view of IOC data. The workflow concludes with the host view. For more information on viewing and interpreting IOC data, see Working with Indications of Compromise, page 50-31.

Indications of Compromise by Host

You can use this workflow to gauge which hosts on your network are most likely to be compromised (based on IOC data). This workflow contains a view of host IP addresses by IOC data count, followed by a table view of IOC data and concluding with the host view. For more information on viewing and interpreting IOC data, see Working with Indications of Compromise, page 50-31.



Predefined Application Details WorkflowsLicense: FireSIGHT

The following table describes the predefined workflows that you can use with application detail and client data.

Table 58-9 Predefined Applications Workflows


Application Business Relevance

You can use this workflow to analyze running applications of each estimated business relevance level on your network, so you can monitor appropriate use of your network resources. This workflow begins with a count of hosts running applications of each relevance level, followed by a table of individual applications with their business relevance levels and host counts, a table view of applications, and the host view. See Viewing Applications, page 50-41 for more information.

Application Category You can use this workflow to analyze running applications of each category (such as email, search engine, or social networking) on your network, so you can monitor appropriate use of your network resources. This workflow begins with a count of hosts running applications of each category, followed by a count of hosts running individual applications, a table view of applications, and the host view. See Viewing Applications, page 50-41 for more information.

Application Risk You can use this workflow to analyze running applications of each estimated security risk level on your network, so you can estimate the potential risk of users’ activity and take appropriate action. This workflow begins with a count of hosts running applications of each risk level, followed by a table of individual applications with their business relevance levels and host counts, a table view of applications, and the host view. See Viewing Applications, page 50-41 for more information.

Application Summary You can use this workflow to obtain detailed information about the applications and associated hosts on your network, so you can closely examine host application activity. This workflow begins with a list of individual host IP addresses running applications, followed by a table view of applications and the host view.

Applications You can use this workflow to analyze running applications on your network, so you can gain an overview of how the network is being used. This workflow begins with a count of hosts running individual applications, followed by a table view of applications and the host view. See Viewing Applications, page 50-41 for more information.

Table 58-10 Predefined Application Details Workflows


Application Details You can use this workflow to analyze the client applications on your network in more detail. This workflow contains a series of pages that begin with a list of the client applications and application products on your network and a count of the number of hosts running each application. You can then view the number of hosts running each version of that application. The next page lets you identify which applications have been accessed most frequently on specific hosts. The workflow then provides a table view of client applications, followed by the host view. See Viewing Application Details, page 50-45 for more information.

Clients This workflow contains a table view of client applications, followed by the host view. See Viewing Application Details, page 50-45 for more information.



Predefined Servers WorkflowsLicense: FireSIGHT

The following table describes the predefined workflows that you can use with server data.

Predefined Host Attributes WorkflowsLicense: FireSIGHT

The following table describes the predefined workflow that you can use with host attribute data.

Predefined Discovery Events WorkflowsLicense: FireSIGHT

The following table describes the predefined workflow that you can use with discovery event data.

Table 58-11 Predefined Servers Workflows


Network Applications by Count

You can use this workflow to analyze the most frequently used applications on your network. This workflow contains a series of pages that show applications with a count of hosts where each application occurs, then add the vendor and version of each application. The workflow then concludes with a table view listing the applications per host, followed by the host view. See Viewing Servers, page 50-35 for more information.

Network Applications by Hit

You can use this workflow to analyze the most active applications on your network. This workflow contains a series of pages that show applications with a count of how often each application is accessed, then add the vendor and version information for each application. The workflow finishes with a page containing a table view listing the applications per host, followed by the host view. See Viewing Servers, page 50-35 for more information.

Server Details You can use this workflow to analyze the vendors and versions of detected server application protocols in detail. The workflow contains a list of servers associated with their vendors, then a list of servers correlated with both vendor and version, finishing with a table view of servers and the host view.

Servers This workflow contains a table view of applications followed by the host view. See Viewing Servers, page 50-35 for more information.

Table 58-12 Predefined Host Attributes Workflows


Attributes You can use this workflow to monitor IP addresses of hosts on your network and the hosts’ status. This workflow begins with a table view of host attributes that lists individual IP addresses with current user, host criticality, notes, and white list compliance. It finishes with the host view. For more information, see Viewing Host Attributes, page 50-27.



Predefined User WorkflowsLicense: FireSIGHT

The following table describes the predefined user workflows included on the Defense Center.

Predefined Vulnerabilities WorkflowsLicense: FireSIGHT

The following table describes the predefined vulnerabilities workflow included on the Defense Center.

Predefined Third-Party Vulnerabilities WorkflowsLicense: FireSIGHT

The following table describes the predefined third-party vulnerabilities workflows included on the Defense Center.

Table 58-13 Predefined Discovery Event Workflows


Discovery Events This workflow provides a detailed list, in table view form, of discovery events, followed by the host view. For more information, see Understanding the Discovery Events Table, page 50-15.

Table 58-14 Predefined User Workflows


Users This workflow provides a list of user information collected from user events or from the LDAP server connection. For details about the user identity workflow, see Viewing Users, page 50-59.

Table 58-15 Predefined Vulnerabilities Workflows


Vulnerabilities You can use this workflow to review s a table view of vulnerabilities showing all the vulnerabilities in the database, followed by a table view of only those active vulnerabilities that apply to the detected hosts on your network.The workflow ends in a vulnerability detail view, which contains a detailed description for every vulnerability that meets your constraints. For more information, see Viewing Vulnerabilities, page 50-49.



Predefined Correlation and White List WorkflowsLicense: FireSIGHT

There is a predefined workflow for each type of correlation data, white list events, white list violations, and remediation status events.

Predefined System WorkflowsLicense: Any

The FireSIGHT System is delivered with some additional workflows, including system events such as audit events and health events, as well as workflows that list results from rule update imports and active scans.

Table 58-16 Predefined Third-Party Vulnerabilities Workflows


Vulnerabilities by IP Address

You can use this workflow to see quickly how many third-party vulnerabilities you have detected per host IP address on your monitored network. The workflow concludes with a table view of third-party vulnerabilities, followed by the host view. For more information, see Viewing Third-Party Vulnerabilities, page 50-54.

Vulnerabilities by Source You can use this workflow to see quickly how many third-party vulnerabilities you have detected per third-party vulnerability source, such as the QualysGuard Scanner. This workflow provides some details about those vulnerabilities on an intermediate drill-down page, then concludes with a table view of third-party vulnerabilities and the host view. For more information, see Viewing Third-Party Vulnerabilities, page 50-54.

Table 58-17 Predefined Correlation Workflows


Correlation Events This workflow contains a table view of correlation events. See Working with Correlation Events, page 51-52 for more information.

White List Events This workflow contains a table view of white list events. See Working with White List Events, page 52-28 for more information.

Host Violation Count This workflow provides a series of pages that list all the host IP addresses that violate at least one white list. The first page sorts the addresses based on the number of violations per address, with the IP addresses with the most number of violations at the top of the list. If a host IP address violates more than one white list, there is a separate row for each violated white list. The workflow also contains a table view of white list violations that lists all violations, with the most recently detected violation at the top of the list. Each row in the table contains a single detected violation. See Working with White List Violations, page 52-34 for more information.

White List Violations This workflow includes a table view of white list violations that lists all violations with the most recently detected violation at the top of the list. Each row in the table contains a single detected violation. See Working with White List Violations, page 52-34 for more information.

Status This workflow contains a table view of remediation status, which includes the name of the policy that was violated and the name and status of the remediation that was applied. See Working with Remediation Status Events, page 54-17 for more information.



Saved Custom WorkflowsLicense: Protection + FireSIGHT

In addition to predefined workflows, which cannot be modified, your Defense Center includes several saved custom workflows. Each of these workflows is based on a custom table and can be modified. For information on accessing these workflows, see Viewing a Workflow Based on a Custom Table, page 59-8.

Table 58-18 Additional Predefined Workflows


Audit Log This workflow contains a table view of the audit log that lists audit events. See Viewing Audit Records, page 69-2 for more information.

Health Events This workflow displays events triggered by the health monitoring policy. See Working with the Health Events Table View, page 68-49 for more information.

Rule Update Import Log

This workflow contains a table view listing information about both successful and failed rule update imports. For more information, see Importing Rule Updates and Local Rule Files, page 66-15.

Scan Results This workflow contains a table view listing each completed scan. For more information, see Working with Active Scan Results, page 47-19.

Table 58-19 Saved Custom Workflows


Events by Impact, Priority, and Host Criticality

You can use this workflow to quickly pick out and focus in on hosts that are important to your network, currently vulnerable, and possibly currently under attack.

By default, this workflow starts with a summary of events sorted by impact level, then by host criticality, and then by the number of occurrences of the event. You can use the second page of the workflow to drill down and view the source and destination addresses where specific events occur. The workflow concludes with a table view of Intrusion Events with Destination Criticality, then the packet view. This workflow is based on the Intrusion Events with Destination Criticality custom table. For more information, see Understanding Custom Tables, page 59-1.

Events by Priority and Classification

This workflow lists events and their type in order of event priority, along with a count showing how many times each event has occurred.

This workflow begins with a drill-down page that contains the priority level, classification and count of each listed event. The last pages in the workflow are the table view of events and the packet view. This workflow is based on the Intrusion Events custom table. For more information, see Understanding Custom Tables, page 59-1.

Events with Destination, Impact, and Host Criticality

You can use this workflow to find the most recent attacks on hosts that are important to your network and currently vulnerable.

By default, this workflow starts with a list of the most recent events, sorted by impact level. The next page of the workflow provides a table view of Intrusion Events with Destination Criticality, followed by the packet view. This workflow is based on the Intrusion Events with Destination Criticality custom table. For more information, see Understanding Custom Tables, page 59-1.


Chapter 58 Understanding and Using Workflows Using Workflows

Using WorkflowsLicense: Any

The drill-down and table view pages in workflows allow you to quickly narrow your view of the data so you can zero in on events that are significant to your analysis. Although the data in each type of workflow is different, all workflows share a common set of features. The following sections describe these features and explain how to use them:

• Selecting Workflows, page 58-16 describes the workflow selection page and how to select a workflow to use.

• Understanding the Workflow Toolbar, page 58-17 describes the toolbar options available in workflows.

• Using Workflow Pages, page 58-18 describes the features that appear on all workflow pages and explains how to use them.

• Setting Event Time Constraints, page 58-23 describes how to set the time range for event-based workflows. The workflow includes events generated in the specified time range.

• Constraining Events, page 58-31 describes features that are used in workflows to constrain, or narrow, the view of data in workflows and to advance through workflow pages.

Hosts with Servers Default Workflow

You can use this workflow to quickly view the basic information in the Hosts with Servers custom table.

By default, this workflow begins with a table view of hosts with servers, followed by the host view. This workflow is based on the Hosts with Servers custom table. For more information, see Understanding Custom Tables, page 59-1.

Intrusion Events with Destination Criticality Default Workflow

You can use this workflow to quickly view the basic information in the Intrusion Events with Destination Criticality custom table.

By default, this workflow starts with a table view of Intrusion Events with Destination Criticality, followed by the packet view. This workflow is based on the Intrusion Events with Destination Criticality custom table. For more information, see Understanding Custom Tables, page 59-1.

Intrusion Events with Source Criticality Default Workflow

You can use this workflow to quickly view the basic information in the Intrusion Events with Source Criticality custom table.

By default, this workflow starts with a table view of Intrusion Events with Source Criticality, followed by the packet view. This workflow is based on the Intrusion Events with Source Criticality custom table. For more information, see Understanding Custom Tables, page 59-1.

Server and Host Details You can use this workflow to determine what servers are most frequently used on your network and which hosts are running those servers.

By default, this workflow begins with a summary of servers with the frequency of access for each service. The next page lists servers by operating system vendor and version. The workflow concludes with a table view of hosts with servers, followed by the host view. This workflow is based on the Hosts with Servers custom table. For more information, see Understanding Custom Tables, page 59-1.

Table 58-19 Saved Custom Workflows (continued)




• Using Compound Constraints, page 58-33 explains how compound constraints can be used and provides examples.

• Sorting Drill-Down Workflow Pages, page 58-34 describes features for sorting the data displayed in workflows, and for removing and restoring table columns to view.

• Selecting Rows on a Workflow Page, page 58-35 describes how to select data rows in the displayed table that you want to analyze or on which you want to perform some other action.

• Navigating to Other Pages in the Workflow, page 58-35 describes how to open other workflows using the constraints, including any selected events, from the current workflow.

• Navigating Between Workflows, page 58-36 describes the Jump to drop-down list and explains how you can use it to apply the current constraints to a different workflow.

• Searching for Events, page 60-1 provides information about the feature used to search event data.

• Using Bookmarks, page 58-37 describes how to create, manage, and use bookmarks.

Selecting WorkflowsLicense: Any

The FireSIGHT System provides predefined workflows for the types of data listed in the following table.

Table 58-20 Features Using Workflows

Feature Menu Path Option

Intrusion events Analysis > Intrusions Events

Reviewed Events

Clipboard

Incidents

Malware events Analysis > Files Malware Events

File events Analysis > Files File Events

Captured files Analysis > Files Captured Files

Connection events Analysis > Connections Events

Security Intelligence events

Analysis > Connections Security Intelligence Events

Host events Analysis > Hosts Network Map

Hosts

Indications of Compromise

Applications

Application Details

Servers

Host Attributes

Discovery Events

User events Analysis > Users User Activity

Users



When you view any of the kinds of data described in the above table, events appear on the first page of the default workflow for that data.

Also note that workflow access depends on your user role (see Configuring User Roles, page 61-51), as follows:

• Administrator users can access any workflow, and are the only users who can access the audit log, scan results, and the rule update import log.

• Maintenance Users can access health events.

• Security Analyst and Security Analyst (Read Only) users can access intrusion, malware, file, connection, discovery, vulnerability, correlation, and health workflows.

To view the data using a workflow other than the default:

Access: Admin/Any Security Analyst

Step 1 Select the appropriate menu path and option as described in the Features Using Workflows table.

The first page of the default workflow for that data type appears. For information on specifying a different default workflow, see Configuring Event View Settings, page 71-3.

Step 2 Optionally, use a different workflow. Click (switch workflow) next to the workflow title, then select the workflow you want to use.

Step 3 The first page of your selected workflow appears.

Understanding the Workflow ToolbarLicense: Any

Each page in a workflow includes a toolbar that offers quick access to related features. The following table describes each of the links on the toolbar.

Vulnerability events Analysis > Vulnerabilities Vulnerabilities

Third-Party Vulnerabilities

Correlation events Analysis > Correlation Correlation Events

White List Events

White List Violations

Status

Audit events System > Monitoring Audit

Health events Health > Health Events n/a

Rule Update Import Log System > Updates n/a

Scan Results Policies > Actions > Scanners n/a

Table 58-20 Features Using Workflows (continued)

Feature Menu Path Option



Using Workflow PagesLicense: Any

The actions you can perform on a workflow page depend on the type of page. Table view pages and drill-down pages contain many features you can use to constrain the set of events you want to view or to navigate the workflow. For more information on the features available on each type of page, see the following sections:

• Using Common Table View or Drill-Down Page Functionality, page 58-18

• Using Geolocation, page 58-20

• Using Table View Pages, page 58-22

• Using Drill-Down Pages, page 58-22

• Using the Host View, Packet View, or Vulnerability Detail Pages, page 58-23

Using Common Table View or Drill-Down Page Functionality

License: Any

Table view and drill-down workflow pages provide a set of icons and other features in the table header and table rows that you can use to perform actions on the displayed data.

The features are described in the following table.

Table 58-21 Workflow Toolbar Links

Feature Description

Bookmark This Page Bookmarks the current page so you can return to it later. Bookmarking captures the constraints in effect on the page you are viewing so you can return to the same data (assuming the data still exists) at a later time. See Using Bookmarks, page 58-37 for information about creating bookmarks.

Report Designer Opens the report designer with the currently constrained workflow as the selection criteria. See Creating a Report Template from an Event View, page 57-9 for information about creating reports.

Dashboard Opens a dashboard relevant to your current workflow. For example, Connection Events workflows link to the Connection Summary dashboard. See Using Dashboards, page 55-1 for information about using dashboards.

View Bookmarks Displays a list of saved bookmarks from which you can select. See Using Bookmarks, page 58-37 for information about creating and managing bookmarks.

Search Displays a Search page where you can perform advanced searches on data in the workflow. You can also click the down arrow icon to select and use a saved search. See Searching for Events, page 60-1 for information about searching workflows.



Table 58-22 Table View and Drill-Down Page Features

Feature Description

Click the blue down-arrow icon to display the corresponding row in the next page of the workflow.

(clean)

(malware)

(custom detection)

(unknown)

(unavailable)

Click the network file trajectory icon, which appears in file name and SHA-256 hash value columns, to view the file’s trajectory map in a new window. For more information, see Analyzing Network File Trajectory, page 40-36.

Note that because the DC500 Defense Center, Series 2 devices, and Cisco NGIPS for Blue Coat X-Series do not support advanced malware protection, you cannot view network file trajectory for network-based malware and file events on these appliances.

(potentially compromised)

(blacklisted)

(blacklisted, set to monitor)

Click the host profile icon, which appears in IP address columns, to display the host profile associated with that IP address in a pop-up window. For more information, see Using Host Profiles, page 49-1.

Hosts that have been tagged as potentially compromised by triggered indications of compromise (IOC) rules appear with the compromised host icon instead of the usual icon. For more information on IOC, see Understanding Indications of Compromise, page 45-19.

If the host profile icon is grayed out, you cannot view the host profile because that host cannot be in the network map (for example, 0.0.0.0).

If you are performing traffic filtering based on Security Intelligence data, host icons next to blacklisted and monitored IP addresses in the connection event view look slightly different. This helps you identify which host in a connection was blacklisted. Note that neither the DC500 Defense Center nor Series 2 devices support Security Intelligence data.

(Low threat score)

(Medium threat score)

(High threat score)

(Very High threat score)

Click the threat score icon, which appears in threat score columns, to view the Dynamic Analysis Summary report for the highest threat score associated with a file.

Note that because the DC500 Defense Center, Series 2 devices, and Cisco NGIPS for Blue Coat X-Series support advanced malware protection, you cannot view the Dynamic Analysis Summary report on these appliances.

Click the user icon, which appears in user identity columns, to view user profile information. For more information, see Understanding User Details and Host History, page 50-62.

If the user icon is grayed out, you cannot view the user profile because that user cannot be in the database (FireAMP Connector user).

Click the vulnerability icon, which appears in third-party vulnerability ID columns, to view vulnerability details for third-party vulnerabilities. For more information, see Viewing Vulnerability Details, page 49-27.

Check boxes Select the check boxes by two or more rows on a page to indicate which rows you want to affect, then click one of the buttons at the bottom of the page (for example, the View button). You can also select the check box at the top of the row to select all the rows on the page.



Using Geolocation

License: FireSIGHT


Supported Defense Centers: Any except DC500

While monitoring your network, the geolocation feature provides you with additional data about the geographical sources of routable IP addresses (country, continent, and so on). You can use this data to determine if, for example, connections are originating from or terminating in countries unconnected with your organization.

Geolocation information is available for intrusion events, connection events, file events, malware events, host profiles, and user profiles. Geolocation information is also available in the Context Explorer and the dashboard.

Country flags and codes In some workflow pages, such as those for connection events, intrusion events, file events, and malware events, routable IP addresses include information about the associated country. When this geolocation information is available, the country’s flag and ISO code appear in the appropriate column (such as Source Country). Hover your pointer over the flag to view the country name. When viewing individual (rather than aggregated) data points, you can click the flag icon to view further geolocation details. See Using Geolocation, page 58-20 for more information.

Note that the DC500 Defense Center does not support geolocation data.

Search Constraints Lists the values, if present, constraining the data view. Click the expand arrow ( ) to display the active constraints and disabled columns list or the collapse arrow ( ) to hide the list from view. By default, this list is collapsed, which is useful when the list of constraints is long and takes up too much of the screen.

To remove a single constraint, click it. To remove a compound constraint, click Compound Constraints.

Click Edit Search or Save Search to open a search page pre-populated with the current single constraints. See Constraining Events, page 58-31 for more information.

Note Compound constraints are constraints created based on rows with multiple non-count values. You cannot perform a search or save a search on a compound constraint.

Time Range The date range located in the upper right corner of the page sets a time range for events to include in the workflow. See Setting Event Time Constraints, page 58-23 for more information.

Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.

Workflow Page Links Workflow page links appear in the upper left corner of predefined workflow table view and drill-down pages, above events and below the workflow name. Click a workflow page link to display that page using any active constraints.

Workflow Name The name of the workflow appears at the top of the page. Beside it, when applicable, is the (switch workflows) link, which you can use to select other workflows of the same type.

Table 58-22 Table View and Drill-Down Page Features (continued)

Feature Description



You can use geolocation data (source and destination country/continent) as conditions for access control rules, as well as create custom geolocation objects for this purpose. You can also use source/destination country data as conditions for correlation rules and traffic profiles. For more information, see Working with Geolocation Objects, page 3-52, Controlling Traffic by Network or Geographical Location, page 15-3, Creating Rules for Correlation Policies, page 51-2, and Specifying Traffic Profile Conditions, page 53-3.

By installing geolocation database (GeoDB) updates, you can view a Geolocation Details page with granular information available for an IP address, such as postal code, coordinates, time zone, Autonomous System Number (ASN), Internet service provider (ISP), use type (home or business), organization, domain name, connection type, and proxy information. You can also pinpoint the detected location with any of four third-party map tools. Without a GeoDB update, only the flag icon and country name appear; you cannot view the Geolocation Details page. For information on installing and updating the GeoDB, see Updating the Geolocation Database, page 66-27. You can view the current version of your GeoDB update by clicking Help > About.

Depending on availability, a number of fields may appear on the Geolocation Details page; fields with no information are not displayed. The following table contains information on these fields.

To view geolocation details:

Access: Any

Table 58-23 Geolocation Detail Fields

Field Contents

Country Country associated with the host’s IP address, accompanied by the country’s flag. The continent is listed in parentheses. Examples: United States (North America), Equatorial Guinea (Africa)

Region State, province, or other subregion of the country where the host is located. Examples: VA, 35

City City where the host is located. Examples: Seattle, Fukuoka

Postal Code Postal code of the region where the host is located. Examples: 361000, 90210

Latitude/Longitude Exact coordinates of the host’s location. Examples: 40.0375, -76.1053; 53.4050, -0.5484

Maps Links to external mapping sites (Google Maps, Yahoo Maps, Bing Maps, and OpenStreetMap). Click any link to view a contextual map of the host’s approximate location.

Timezone Time zone of the host’s location, with Daylight Savings Time noted where applicable. Examples: GMT+8:00, GMT-4:00 (In DST)

ASN Autonomous System Number (ASN) associated with the host’s IP address, and any additional information about that ASN. Examples: 14618 (Amazon.com Inc.); 4837 (Cncgroup China169 Backbone)

ISP Internet service provider (ISP) associated with the host’s IP address. Examples: Atlantic Broadband; China Unicom Ip Network

Home/Business Whether the host’s connection is used for Home or Business purposes.

Organization Organization associated with the host’s IP address. Examples: Amazon.com, Bank of America

Domain Name Domain name associated with the host’s IP address. Examples: amazonaws.com, xmcnc.net

Connection Type Connection type associated with the host’s IP address. Examples: Broadband, DSL

Proxy Type The type of proxy used. Examples: Anonymous, Corporate



Step 1 In an event view, host profile, or other geolocation-supporting page, click the small country flag icon or ISO country code that appears by an individual data point. (You cannot view geolocation details for aggregate geolocation information, such as on the Connection Summary dashboard, despite the presence of flag icons.)

Tip In event views, hover your pointer over the flag icon to view a tooltip with the country’s name.

The Geolocation Details page appears in a new window.

Using Table View Pages

License: Any

Table views include a column for each of the fields in the database if the column is enabled by default. Note that when you disable a column on a table view, the FireSIGHT System adds the Count column to the event view if disabling the column would create two or more identical rows. When you click on a value in a table view page, you constrain by that value. When you create a custom workflow, you add a table view to it by clicking Add Table View.

Table view pages provide some additional features not available on drill-down, host view, packet view, or vulnerability detail pages. The following table provides more information on those features.

Using Drill-Down Pages

License: Any

Drill-down pages contain a subset of columns that are available in the database. Note that drill-down pages for predefined workflows always have a Count column. Drill-down pages allow you to narrow the scope of events you are viewing and to move forward in the workflow. If you click on a value in a drill-down page, for example, you constrain by that value and move to the next page in the workflow, focusing more closely on events that match your selected values. Clicking a value in a drill-down page does not disable the column where the value is, even if the page you advance to is a table view. When you create a custom workflow, you add a drill-down page to it by clicking Add Page.

Table 58-24 Additional Table View Page Features

Feature Description

Click this icon in the column heading that you want to hide. In the pop-up window that appears, click Apply.

Tip To hide or show other columns, select or clear the appropriate check boxes before you click Apply.

Disabled Columns list

When you remove columns from a page, or columns are disabled by default, the column names appear in the Disabled Columns list, which is located above the table and hidden by default.

To add a disabled column back to the event view, click the Search Constraints expand arrow ( ) to expand the search constraints, then click the column name under Disabled Columns.

See Sorting Drill-Down Workflow Pages, page 58-34 for more information.



For more information on using features on drill-down pages to constrain the set of events as you go through a workflow, see Using Common Table View or Drill-Down Page Functionality, page 58-18.

Using the Host View, Packet View, or Vulnerability Detail Pages

License: Any

The final page in a discovery event, host, host attributes, indications of compromise, servers, client applications, or connection data workflow is the host view. The final page in a vulnerability workflow is the vulnerability detail page. An intrusion event workflow always ends with the packet view. On the final page of a workflow, you can expand detail sections to view specific information about each object in the set you focused on over the course of the workflow. Although the web interface does not list the constraints on the final page of a workflow, previously set constraints are retained and applied to the set of data.

Setting Event Time ConstraintsLicense: Any

Each event has a time stamp that indicates when the event occurred. You can constrain the information that appears in some workflows by setting the time window, sometimes called the time range.

Workflows based on events that can be constrained by time include a time range line at the top of the page, as shown in the following graphic.

By default, workflows on Cisco appliances use an expanding time window set to the past hour. For example, if you log in at 11:30 AM, you will see events that occurred between 10:30 AM and 11:30 AM. As time moves forward, the time window expands. At 12:30 PM, you will see events that occurred between 10:30 AM and 12:30 PM.

You can change this behavior by setting your own default time window, which governs three properties:

• time window type (static, expanding, or sliding)

• time window length

• the number of time windows (either multiple time windows or a single global time window)

For general information on the default time window, see Default Time Windows, page 71-5.

Regardless of the default time window setting, you can manually change the time window during your event analysis by clicking the time range at the top of the page, which displays the Date/Time pop-up window. Depending on the number of time windows you configured and the type of appliance you are using, you can also use the Date/Time window to change the default time window for the type of event you are viewing.

Finally, you can pause the time window, which allows you to examine the data provided by the workflow without the time window changing and removing or adding events that you are not interested in. Note that to avoid displaying the same events on different workflow pages, the time window automatically pauses when you click a link at the bottom of the page to display another page of events; you can unpause the time window when you are ready.

For more information, see the following sections:



• Changing the Time Window, page 58-24

• Changing the Default Time Window for Your Event Type, page 58-28

• Pausing the Time Window, page 58-30

Changing the Time Window

License: Any

Regardless of the default time window, you can manually change the time window during your event analysis.

Note Manual time window settings are valid for only the current session. When you log out and then log back in, time windows are reset to the default.

Depending on the number of time windows you configured, changing the time window for one workflow may affect other workflows on the appliance. For example, if you have a single, global time window, changing the time window for one workflow changes it for all other workflows on the appliance. On the other hand, if you are using multiple time windows, changing the audit log or health event workflow time windows has no effect on any other time window, while changing the time window for other kinds of events affects all events that can be constrained by time (with the exception of audit events and health events).

Note that because not all workflows can be constrained by time, time window settings have no effect on workflows based on hosts, host attributes, applications, application details, vulnerabilities, users, or white list violations.

Use the Time Window tab on the Date/Time window to manually configure a time window. Depending on the number of time windows you configured in your default time window settings, the tab’s title is one of the following:

• Events Time Window, if you configured multiple time windows and are setting the time window for a workflow other than the audit log or health events workflow

• Health Monitoring Time Window, if you configured multiple time windows and are setting the time window for the health events workflow

• Audit Log Time Window, if you configured multiple time windows and are setting the time window for the audit log

• Global Time Window, if you configured a single time window

The first decision you must make when configuring a time window is the type of time window you want to use:

• A static time window displays all the events generated from a specific start time to a specific end time.

• An expanding time window displays all the events generated from a specific start time to the present; as time moves forward, the time window expands and new events are added to the event view.

• A sliding time window displays all the events generated from a specific start time (for example, one week ago) to the present; as time moves forward, the time window “slides” so that you see only the events for the range you configured (in this example, for the last week).



Depending on what type you select, the Date/Time window changes to give you different configuration options. The following graphic shows the Date/Time window, specifying that you want to use an expanding time window. With expanding time windows, the End Time calendar is grayed out and specifies that the end time is “Now.”

If you use a static time window, you can set an end time.



If you choose to use a sliding time window, your options change further.

Note The FireSIGHT System uses a 24-hour clock based on the time you specified in your time zone preferences. See Setting Your Default Time Zone, page 71-7 for information about configuring a time zone.

The following table explains the various settings you can configure on the Time Window tab.



To change the time window during event analysis:

Access: Admin/Maint/Any Security Analyst

Table 58-25 Time Window Settings

Setting Time Window Type Description

time window type drop-down list

n/a Select the type of time window you want to use: static, expanding, or sliding.

Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.

Start Time calendar static and expanding Specify a start date and time for your time window. The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).

Tip Instead of using the calendar, you can use the Presets options, described below.

End Time calendar static Specify an end date and time for your time window. The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).

Note that If you are using an expanding time window, the End Time calendar is grayed out and specifies that the end time is “Now.”

Tip Instead of using the calendar, you can use the Presets options, described below.

Show the Last field and drop-down list

sliding Configure the length of the sliding time window.

Presets: Last all Click one of the time ranges in the list to change the time window, based on the local time of the appliance. For example, clicking 1 week changes the time window to reflect the last week. Clicking a preset changes the calendars to reflect the preset you choose.

Presets: Current static and expanding Click one of the time ranges in the list to change the time window, based on the local time and date of the appliance. Clicking a preset changes the calendars to reflect the preset you choose.

Note that:

• the current day begins at midnight

• the current week begins at midnight Sunday

• the current month begins at midnight on the first of the month

Presets: Synchronize with all (not available if you are using a global time window)

Click one of:

• Events Time Window to synchronize the current time window with the events time window

• Health Monitoring Time Window to synchronize the current time window with the health monitoring time window

• Audit Log Time Window to synchronize the current time window with the audit log time window



Step 1 On a workflow constrained by time, click the time range icon ( ).

The Date/Time window appears.

Step 2 On the Time Window tab, set the time window as described in the Time Window Settings table.

Tip Click Reset to change the time window back to the default settings.

Step 3 Click Apply.

The window closes and the event view page displays events from the new time range.

Changing the Default Time Window for Your Event Type

License: Any

During your event analysis, you can use the Preferences tab on the Date/Time window to change the default time window for the type of event you are viewing without having to use the event view settings (see Default Time Windows, page 71-5).

Keep in mind that changing the default time window in this way changes the default time window for only the type of event you are viewing. For example, if you configured multiple time windows, changing the default time window on the Preferences tab changes the settings for either the events, health monitoring, or audit log window, in other words, whichever time window is indicated by the first tab. If you configured a single time window, changing the default time window on the Preferences tab changes the default time window for all types of events.

The following graphic shows the Defense Center version of the Preferences tab, on an appliance that has multiple time windows configured.



The following table explains the various settings you can configure on the Preferences tab.

Table 58-26 Time Window Preferences

Preference Description

Refresh Interval Sets the refresh interval for event views, in minutes. Entering zero disables the refresh option.

Number of Time Windows Specify how many time windows you want to use:

• Select Multiple to configure separate default time windows for the audit log, for health events, and for workflows based on events that can be constrained by time.

• Select Single to use a global time window that applies to all events,

Default Time Window: Show the Last - Sliding

This setting allows you to configure a sliding default time window of the length you specify.

The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window “slides” so that you always see events from the last hour.

Default Time Window: Show the Last - Static/Expanding

This setting allows you to configure either a static or expanding default time window of the length you specify.

For static time windows (enable the Use End Time check box), the appliance displays all the events generated from a specific start time (for example, 1 hour ago), to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.

For expanding time windows (disable the Use End Time check box), the appliance displays all the events generated from a specific start time (for example, 1 hour ago), to the present. As you change event views, the time window expands to the present time.

Default Time Window: Current Day - Static/Expanding

This setting allows you to configure either a static or expanding default time window for the current day. The current day begins at midnight, based on the time zone setting for your current session.

For static time windows (enable the Use End Time check box), the appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.

For expanding time windows (disable the Use End Time check box), the appliance displays all the events generated from midnight to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 24 hours before you log out, this time window can be more than 24 hours.

Default Time Window: Current Week - Static/Expanding

This setting allows you to configure either a static or expanding default time window for the current week. The current week begins at midnight on the previous Sunday, based on the time zone setting for your current session.

For static time windows (enable the Use End Time check box), the appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.

For expanding time windows (disable the Use End Time check box), the appliance displays all the events generated from midnight Sunday to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 1 week before you log out, this time window can be more than 1 week.



To change time window preferences during event analysis:


Step 1 On a workflow constrained by time, click the time range icon ( ).

The Date/Time window appears.

Step 2 Select the Preferences tab and change your preferences, as described in the Time Window Preferences table.

Step 3 Click Save Preferences.

Your preferences are saved.

Step 4 You have two options:

• To apply your new default time window settings to the event view you are using, click Apply to close the Date/Time window and refresh the event view.

• To continue with your analysis without applying the default time window settings, close the Date/Time window without clicking Apply.

Pausing the Time Window

License: Any

You can pause the time window, which allows you to examine a snapshot of the data provided by the workflow. This is useful because when an unpaused workflow updates, it may remove events that you want to examine or add events that you are not interested in.

Note that you cannot pause a static time window. In addition, pausing an event time window has no effect on dashboards, nor does pausing a dashboard have any effect on pausing an event time window.

When you are finished with your analysis, you can unpause the time window. Unpausing the time window updates it according to your preferences, and also updates the event view to reflect the unpaused time window.

If the database contains more events than can be displayed on a single workflow page, you can click the links at the bottom of the page to display more events (see Navigating to Other Pages in the Workflow, page 58-35). When you do this, the time window automatically pauses so that you do not see the same events twice. You can unpause the time window when you are ready.

To pause the time window:


Step 1 On the time range control, click the pause icon ( ).

The time window is paused until you unpause it.

To unpause the time window:


Step 1 On the time range control, click the play icon ( ).



The time window is unpaused and updates according to your preferences. The event view updates to reflect the current time window.

Constraining EventsLicense: Any

The information that you see on a workflow page is determined by the constraints that you impose. For example, when you initially open an event workflow, the information is constrained to events that were generated in the previous hour.

To advance to the next page in the workflow and constrain the data you are viewing by specific values, select the rows with those values on the page and click View. To advance to the next page in the workflow retaining the current constraints and carrying forward all events, select View All.

Note If you select a row with multiple non-count values and click View, you create a compound constraint. For more information on compound constraints, see Using Compound Constraints, page 58-33.

There is a third method for constraining data in a workflow. To constrain the page to the rows with values that you selected and also add the selected value to the list of constraints at the top of the page, click a value within a row on the page.

For example, if you click 10.10.60.119 in the Initiator IP column on a page with the following events:



...then the constrained page includes only the events with that IP address:

Tip The procedure for constraining connection events based on Monitor rule criteria is slightly different and you may need to take some extra steps. Additionally, you cannot constrain connection events by associated file or intrusion information. For more information, see Working with Connection and Security Intelligence Data Tables, page 39-27.

You can also use searches to constrain the information in a workflow. The search criteria you enter on the search page are listed as the constraints at the top of the page, with the resulting events constrained accordingly. On the Defense Center, the current constraints are also applied when navigating to other workflows, unless they are compound constraints (see Navigating Between Workflows, page 58-36).

When searching, you must pay careful attention to whether your search constraints apply to the table you are searching. For example, client data is not available in connection summaries. If you search for connection events based on the detected client in the connection and then view the results in a connection summary event view, the Defense Center displays connection data as if you had not constrained it at all. Invalid constraints are labeled as not applicable (N/A) and are marked with a strikethrough.

The following table describes each of the actions you can perform when applying a constraint.

Table 58-27 Search Constraint Functions

To... Click...

constrain the view to events that match a single value

the value in the table.

For example, if you are viewing a list of logged connections and want to constrain the list to only those you allowed using access control, click Allow in the Action column. As another example, if you are viewing intrusion events and want to constrain the list to only events where the destination port is 80, click 80 (http)/tcp in the DST Port/ICMP Code column.

constrain the view to events that match multiple values

the check box for events with those values and click View.

Note that a compound constraint is added if the row contains multiple non-count values. For more information on compound constraints, see Using Compound Constraints, page 58-33.



Using Compound ConstraintsLicense: Any

Compound constraints are based on all non-count values for a specific event. When you select a row with multiple non-count values, you set a compound constraint that only retrieves events matching all the non-count values in that row on that page. For example, if you select a row that has a source IP address of 10.10.31.17 and a destination IP address of 10.10.31.15 and a row that has a source IP address of 172.10.10.17 and a destination IP address of 172.10.10.15, you retrieve all of the following:

• Events that have a source IP address of 10.10.31.17 AND a destination IP address of 10.10.31.15

OR

• Events that have a source IP address of 172.10.31.17 AND a destination IP address of 172.10.31.15

When you combine compound constraints with simple constraints, the simple constraints are distributed across each set of compound constraints. If, for example, you added a simple constraint for a protocol value of tcp to the compound constraints listed above, you retrieve all of the following:

• Events that have a source IP address of 10.10.31.17 AND a destination IP address of 10.10.31.15 AND a protocol of tcp

OR

• Events that have a source IP address of 172.10.31.17 AND a destination IP address of 172.10.31.15 AND a protocol of tcp

You cannot perform a search or save a search on a compound constraint. You also cannot retain compound constraints when you use the event view links or click (switch workflow) to switch to another workflow. If you bookmark an event view with compound constraints applied, the constraints are not saved with the bookmark.

remove a constraint the name of the constraint in the Search Constraints box.

edit constraints using the search page

Edit Search in the Search Constraints box.

Use this feature when you want to constrain against multiple values in a single column. For example, if you want to view the events related to two IP addresses, click Edit Search, then modify the appropriate IP address field on the Search page to include both addresses, and then click Search.

save constraints as a saved search

Save Search in the Search Constraints box and give the query a name.

Note that you cannot save queries containing compound constraints. For more information on compound constraints, see Using Compound Constraints, page 58-33.

use the same constraints with another event view

Jump to and select the event view. See Navigating Between Workflows, page 58-36 for more information.

Note that you do not retain compound constraints when you switch to another workflow. For more information on compound constraints, see Using Compound Constraints, page 58-33.

toggle the display of constraints

the expand arrow ( ). This is useful when the list of constraints is large and takes up most of the screen.

Table 58-27 Search Constraint Functions (continued)

To... Click...



To clear all compound constraints, click Compound Constraints.

Sorting Table View Pages and Changing Their LayoutLicense: Any

When viewing data in a workflow, you can sort the data based on any available column and remove and restore columns to view. You can sort data in ascending or descending order by column.

Tip If you create a custom workflow, you can fully customize the arrangement of columns on the pages and predefine the page sort order. See Creating Custom Workflows, page 58-39 for more information.

Sorting Drill-Down Workflow Pages License: Any

When viewing data in a workflow or event view, you can sort the data based on any available column and remove and restore columns to view. You can sort data in ascending or descending order by column. The direction icon ( ) indicates which column the data is sorted by, and whether the sort is ascending (upward-pointing icon) or descending (downward-pointing icon).

Tip If you create a custom workflow, you can fully customize the arrangement of columns on the pages and predefine the page sort order. See Creating Custom Workflows, page 58-39 for more information.

To sort a column:


Table 58-28 Sorting and Layout Functions

To... Click...

sort a column the column title. Click the column title again to reverse the sort order.

Tip The direction icon ( ) indicates which column the data is sorted by, and whether the sort is ascending (upward-pointing icon) or descending (downward-pointing icon).

remove a column from a table view

the close icon ( ) in the column heading that you want to hide. In the pop-up window that appears, click Apply.

When you disable a column, it is disabled for the duration of your session (unless you add it back later). Note that when you disable the first column, the Count column is added. You cannot disable the Count column.

Tip To hide or show other columns, select or clear the appropriate check boxes before you click Apply. To add a disabled column back to the view, click the expand arrow ( ) to expand the search constraints, then click the column name under Disabled Columns.

add a disabled column back to the view

the column name under Disabled Columns.

When you enable a column that is disabled by default, it is enabled for the duration of your session (unless you disable it later). Note that the Count column is removed if enabling results in no identical rows.



Step 1 Click the column title.

To reverse the sort order:


Step 1 Click the column title again.

Selecting Rows on a Workflow PageLicense: Any

There are several different ways to select and then act on the rows on workflow pages:

• To select all rows on the page, select the check box at the top of the page.

You can then click any of the buttons at the bottom of the page (View, Delete, and so on) to perform that action on all of the events on that page.

• To select a single row, select the check box next to the individual row.

You can then click any of the buttons at the bottom of the page to perform that action on only the events associated with that row.

• To select a single row and view its associated events on the next page of the workflow, click the arrow icon ( ).

Note You cannot select rows from multiple pages at once.

Navigating to Other Pages in the WorkflowLicense: Any

If the database contains more events than can be displayed on a single workflow page, you can click the links at the bottom of the page to display more events.

When you click one of these links, the time window automatically pauses so that you do not see the same events twice; you can unpause the time window when you are ready. For more information, see Setting Event Time Constraints, page 58-23.

The following table describes how to use the navigation links.

Table 58-29 Navigating Pages

To... Click...

view a different page the page number, enter the page you wish to view, then press Enter

view the next page >

view the previous page <



Navigating Between WorkflowsLicense: Any

You can navigate to other workflows using the links in the Jump to... drop-down list on a workflow page. Select the drop-down list to view and select additional workflows.

When you select a new workflow, properties shared by the rows you select and the constraints you set are used in the new workflow, if they are applicable. If configured constraints or event properties do not map to fields in the new workflow, they are dropped. In addition, compound constraints are not retained when you switch from one workflow to another. In addition, constraints from the captured files workflow only transfer to file and malware event workflows.

Note When you view event counts over a time range, the total number of events may not reflect the number of events for which more detailed data is available. This occurs because the system sometimes prunes older event details to manage disk space usage. To minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment. For more information, see Logging Connections in Network Traffic, page 38-1.

Note that unless you have either paused the time window or have configured a static time window, the time window changes when you change workflows. For more information, see Setting Event Time Constraints, page 58-23.

The Jump to drop-down list provides quick access to workflows for the following tables:

• connection events

• security intelligence events

• intrusion events

• malware events

• file events

• hosts

• indications of compromise

• applications

• application details

• servers

• host attributes

• discovery events

• users

• vulnerabilities

• third-party vulnerabilities

jump to the last page >|

jump to the first page |<

Table 58-29 Navigating Pages (continued)

To... Click...



• correlation events

• white list events

This feature enhances your ability to investigate suspicious activity. For example, if you are viewing connection data and notice that an internal host is transmitting an abnormally large amount of data to an external site, you can select the responder IP address and the port as constraints and then jump to the Applications workflow. The applications workflow will use the responder IP address and port as IP Address and Port constraints and display additional information about the application, such as what kind of application it is. You can also click Hosts at the top of the page to view the host profile for the remote host.

After finding more information about the application, you can select Correlation Events to return to the connection data workflow, remove the Responder IP from the constraints, add the Initiator IP to constraints, and select Application Details to see what client the user on the initiating host used when transferring data to the remote host. Note that the Port constraint is not transferred to the Application Details page. While keeping the local host as a constraint, you can also use other navigation buttons to find additional information:

• To discover if any policies have been violated by the local host, keep the IP address as a constraint and select Correlation Events from the Jump to drop-down list.

• To find out if an intrusion rule triggered against the host, indicating a compromise, select Intrusion Events from the Jump to drop-down list.

• To view the host profile for the local host and determine if the host is susceptible to any vulnerabilities that may have been exploited, select Hosts from the Jump to drop-down list.

Using BookmarksLicense: Any

Create a bookmark if you want to return quickly to a specific location and time in an event analysis. Bookmarks retain information about:

• the workflow you are using

• the part of the workflow you are viewing

• the page number within the workflow

• any search constraints

• any disabled columns

• the time range you are using

The bookmarks you create are available to all user accounts with bookmark access. This means that if you uncover a set of events that require more in-depth analysis, you can easily create a bookmark and turn over the investigation to another user with the appropriate privileges.

Note If the events that appear in a bookmark are deleted (either directly by a user or by automatic database cleanup), the bookmark no longer displays the original set of events.

See these sections for more information about using bookmarks:

• Creating Bookmarks, page 58-38 describes how to create a new bookmark.

• Viewing Bookmarks, page 58-38 describes how to view and use existing bookmarks.

• Deleting Bookmarks, page 58-38 describes how to delete bookmarks.



Creating Bookmarks

License: Any

Use the following procedure to create a new bookmark.

To create a bookmark:


Step 1 During an event analysis, with the events of interest displayed, click Bookmark This Page.

The Create a Bookmark page appears.

Step 2 In the Bookmark Name field, type a name (up to 80 alphanumeric characters and spaces) for the bookmark, then click Save Bookmark.

The bookmark is saved and the event page you bookmarked appears again.

Viewing Bookmarks

License: Any

Use the following procedure to view and use existing bookmarks.

To view a bookmark:


Step 1 From any event view, click View Bookmarks.

The Bookmarks page appears.

Step 2 Next to the bookmark you want to use, click View.

The page you bookmarked appears.

Note If the events that originally appeared in a bookmark are deleted (either directly by a user or by automatic database cleanup), the bookmark no longer displays the original set of events.

Deleting Bookmarks

License: Any

Use the following procedure to delete bookmarks. Note that deleting a bookmark does not affect the events retrieved by that bookmark.

To delete a bookmark:


Step 1 From any event view, click View Bookmarks.


Chapter 58 Understanding and Using Workflows Using Custom Workflows

The Bookmarks page appears.

Step 2 Click Delete next to the bookmark you want to remove.

The bookmark is deleted.

Using Custom WorkflowsLicense: Any

If the predefined and Cisco-provided custom workflows do not meet your needs, you can create custom workflows.

For more information, see:

• Creating Custom Workflows, page 58-39 for a procedure to create custom workflows

• Creating Custom Connection Data Workflows, page 58-41 for a procedure to create a custom workflow based on connection data

• Viewing Custom Workflows, page 58-42 for procedures for viewing custom workflows based on event and custom tables

• Editing Custom Workflows, page 58-43 for a procedure for editing custom workflows

• Deleting Custom Workflows, page 58-44 for a procedure for deleting custom workflows

Creating Custom WorkflowsLicense: Any

If the predefined and Cisco-provided custom workflows do not meet your needs, you can create custom workflows.

Tip Instead of creating a new custom workflow, you can export a custom workflow from another appliance and then import it onto your appliance. You can then edit the imported workflow to suit your needs. For more information, see Importing and Exporting Configurations, page A-1.

When you create a custom workflow, you:

• select a table to be the source of the workflow

• provide a workflow name

• add drill-down pages and table view pages to the workflow

For each drill-down page in the workflow, you can:

• provide a name that appears at the top of the page in the web interface

• include up to five columns per page

• specify a default sort order, ascending or descending

You can add table view pages in any position in the sequence of workflow pages. They do not have any editable properties, such as a page name, sort order, or user-definable column positions.



The final page of a custom workflow depends on the table on which you base the workflow, as described in the following table. These final pages are added by default when you create the workflow.

The appliance does not add a final page to custom workflows based on other kinds of events (for example, audit log or malware events).

Note The procedure for creating a custom workflow based on connection data is slightly different. For more information, see the next section, Creating Custom Connection Data Workflows.

To create a custom workflow:


Step 1 Select Analysis > Custom > Custom Workflows.

The Custom Workflows page appears.

Step 2 Click Create Custom Workflow.

The Edit Custom Workflow page appears.

Step 3 Type a name for the workflow in the Name field.

You can use up to 60 alphanumeric characters and spaces in the name.

Step 4 Optionally, type a description for the workflow in the Description field.

You can use up to 80 alphanumeric characters and spaces.

Step 5 Select the table you want to include from the Table drop-down list.

Step 6 Optionally, click Add Page to add one or more drill-down pages to the workflow.

A drill-down page section appears.

Begin by typing a name for the page in the Page Name field, using up to 80 alphanumeric characters, but no spaces.

Under Column 1, select a sort priority and a table column. This column will appear in the leftmost column of the page. For example, to create a page showing the destination ports that are targeted, and to sort the page by count, select 2 from the Sort Priority drop-down list and DST Port/ICMP Code from the Field drop-down list.

Continue selecting fields to include and setting their sort priority until all the fields to appear on the page have been specified. You can specify up to five fields per page.

Table 58-30 Custom Workflow Final Pages

Workflows based on... Have this final page...

discovery events hosts

vulnerabilities vulnerability detail

third-party vulnerabilities hosts

users users

indications of compromise hosts

intrusion events packets



Note If you selected Vulnerabilities as the Table Type in step 5, then add IP Address as a table column, the IP Address column does not appear when you are viewing vulnerabilities using your custom workflow, unless you use the search feature to constrain the workflow to view a specific IP address or block of addresses. For more information on searching for vulnerabilities, see Searching for Vulnerabilities, page 50-52.

Step 7 Optionally, click Add Table View to add a table view page to the workflow.

Note You must add at least one drill-down page or a table view of events to a custom workflow.

Step 8 Click Save.

The new workflow is saved and added to the list of custom workflows.

Creating Custom Connection Data WorkflowsLicense: FireSIGHT

Custom workflows based on connection data are like other custom workflows, except you can include connection data graph pages as well as drill-down pages and table view pages. You can include as many of each type of page in the workflow as you want, in any order. Each connection data graph page contains a single graph, which can be a line graph, bar graph, or pie chart. On line and bar graphs, you may include more than one dataset. For more information on connection data, including connection summaries, connection graphs, and datasets, see Understanding Connection and Security Intelligence Data, page 39-2.

Tip Instead of creating a new custom workflow, you can export a custom workflow from another appliance and then import it onto your appliance. You can then edit the imported workflow to suit your needs. For more information, see Importing and Exporting Configurations, page A-1.

To create a custom workflow based on connection data:

Access: Admin

Step 1 Select Analysis > Custom > Custom Workflow.

Step 2 Click Create Custom Workflow.

The Edit Custom Workflow page appears.

Step 3 Type a name for the workflow in the Name field.


Step 4 Optionally, type a description for the workflow in the Description field.


Step 5 From the Table drop-down list, select Connection Events.

Step 6 Optionally, add one or more drill-down pages to the workflow:

• To add a drill-down page that contains data on individual connections, click Add Page.



• To add a drill-down page that contains connection summary data, click Add Summary Page.

In either case, a drill-down page section appears.

Begin by typing a name for the page in the Page Name field using up to 80 alphanumeric characters, but no spaces.

Under Column 1, select a sort priority and a table column. This column will appear in the leftmost column of the page.

Continue selecting fields to include and setting their sort priority until all the fields to appear on the page have been specified. You can specify up to five fields per page.

For example, to create a page showing the amount of traffic transmitted over your monitored network and to sort the page by the responders that transmitted the most traffic, select 1 from the Sort Priority drop-down list and Responder Bytes from the Field drop-down list.

Step 7 Optionally, click Add Graph to add one or more graph pages to the workflow.

A graph section appears.

Begin by typing a name for the page in the Graph Name field using up to 80 alphanumeric characters, but no spaces.

Then, select the type of graph you want to include on the page: line graph, bar graph, or pie chart.

Then, specify what kind of data you want to graph by selecting the x- and y-axes of the graph. On a pie chart, the x-axis represents the independent variable and the y-axis represents the dependent variable.

Finally, select the datasets you want to include on the graph. Note that pie charts can only include one data set.

Step 8 Optionally, add a table view of connection data by clicking Add Table View.

Step 9 Click Save.

The new workflow is saved and added to the list of custom workflows.

Viewing Custom WorkflowsLicense: Any

The method you use to view a workflow depends on whether the workflow is based on one of the predefined event tables or on a custom table.

If your custom workflow is based on a predefined event table, access it in the same way that you would access a workflow that ships with the appliance. For example, to access a custom workflow based on the Hosts table, select Analysis Hosts. If, on the other hand, your custom workflow is based on a custom table, you must access it from the Custom Tables page.

Tip You can set a custom workflow as the default workflow for any event type; see Configuring Event View Settings, page 71-3.

For more information, see:

• Viewing Custom Workflows for Predefined Tables, page 58-43

• Viewing Custom Workflows for Custom Tables, page 58-43



Viewing Custom Workflows for Predefined Tables

License: Any

Use the following procedure to view a custom workflow that is not based on a custom table. Keep in mind that workflow access depends on your platform and user role, as described in Selecting Workflows, page 58-16.

To view a custom workflow based on a predefined table:


Step 1 Select the appropriate menu path and option for the table on which you based your custom workflow, as described in the Features Using Workflows table.

The first page of the default workflow for that table appears. To use a different workflow, including a custom workflow, click (switch workflow) beside the current workflow title. For information on specifying a different default workflow, see Configuring Event View Settings, page 71-3. If no events appear and the workflow can be constrained by time, you may need to adjust the time range; see Setting Event Time Constraints, page 58-23.

Viewing Custom Workflows for Custom Tables

License: FireSIGHT

Use the following procedure to view a custom workflow that is based on a custom table.

To view a custom workflow based on a custom table:


Step 1 Select Analysis > Custom > Custom Tables.

The Custom Tables page appears, listing the available custom tables.

Step 2 Click the view icon next to the custom table you want to view, or click the name of the custom table.

The first page of the default workflow for that table appears. To use a different workflow, including a custom workflow, click (switch workflow) beside the current workflow title. For information on specifying a different default workflow, see Configuring Event View Settings, page 71-3. If no events appear and the workflow can be constrained by time, you may need to adjust the time range; see Setting Event Time Constraints, page 58-23.

Editing Custom WorkflowsLicense: Any

If your event evaluation process changes, you can edit custom workflows to meet your new needs. Note that you cannot edit any of the predefined workflows.

To edit a custom workflow:





The Custom Workflows page appears, listing the existing custom workflows.

Step 2 Click the edit icon ( ) next to the name of the workflow that you want to edit.

The Edit Workflow page appears.

Step 3 Make any changes that you want to the workflow and click Save.

The changes you made to the workflow are saved.

Deleting Custom WorkflowsLicense: Any

The following procedure explains how to delete a custom workflow that you no longer need.

To delete a custom workflow:



The Custom Workflows page appears, listing the available custom workflows.

Step 2 Click the delete icon ( ) next to the name of the workflow that you want to delete.

The workflow is deleted.


understanding and using workflows - cisco · understanding and using workflows a workflow is a...

Documents