- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Searching for Events
Cisco appliances generate information that is stored as events in database tables. Events contain multiple fields that describe the activity that caused the appliance to generate the event.
The FireSIGHT System provides predefined searches that serve as examples and can provide quick access to important information about your network. You can modify fields within the predefined searches for your network environment, then save the searches to reuse later. You can also use your own search criteria.
The search criteria you can use depends on the type of search, but the mechanics are the same. See the following sections for more information on how to perform a search and on the correct syntax to use in search fields:
Performing and Saving Searches
You can create and save searches for any of the different event types. When you create a search you give it a name and specify whether the search will be available to you alone or to all users of the appliance. If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
For more information, see the following sections:
Note To search a custom table, follow a slightly different procedure; see Searching Custom Tables.
Performing a Search
For some event types, the FireSIGHT System provides predefined searches that serve as examples and can provide quick access to important information about your network. You can modify fields within the predefined searches for your network environment, then save the searches to reuse later. You can also use your own search criteria.
Access: Admin/Any Security Analyst
Step 1 Select Analysis > Search .
Step 2 From the table drop-down list, select the type of event or data to search.
The page updates with the appropriate search constraints.
Step 3 Enter your search criteria in the appropriate fields:
– For fields that may contain only a single value, records with the specified field containing the exact string specified within the quotation marks match the search criteria. For instance, a search for
A, B, "C, D, E"
will match records where the specified field contains
"A"
or
"B"
or
"C, D, E"
. This permits matching on fields that include the comma in possible values.
– For fields that may contain multiple values at the same time, records with the specified fields containing all of the values in the quote-enclosed comma-separated list match that search criteria.
– For fields that may contain multiple values at the same time, search criteria may include single values as well as quote-enclosed comma-separated lists. For instance, a search for
A, B, "C, D, E"
on a field that may contain one of more of these letters matches records where the specified field contains
A
or
B
, or all of
C
,
D
, and
E
.
- Searches return only records that match the search criteria specified for all fields.
-
Many fields accept one or more asterisks (
*) as wild cards. -
Specify
n/ain any field to identify events where information is not available for that field; use!n/ato identify the events where that field is populated. - Click the add object icon (
) that appears next to a search field to use an object as a search criterion.Step 4 See the following sections for detailed information on the search criteria you can use:
- Searching Audit Records
- Searching for Applications
- Searching for Application Details
- Searching for Captured Files
- Searching for Compliance White List Events
- Searching for Connection and Security Intelligence Data
- Searching for Correlation Events
- Searching for Discovery Events
- Searching for File Events
- Searching for Health Events
- Searching for Host Attributes
- Searching for Hosts
- Searching for Intrusion Events
- Searching for Malware Events
- Searching the Rule Update Import Log
- Searching for Remediation Status Events
- Searching for Scan Results
- Searching for Servers
- Searching for Third-Party Vulnerabilities
- Searching for Users
- Searching for User Activity
- Searching for Vulnerabilities
- Searching for White List Violations
Step 5 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 6 Optionally, you can save the search to be used again in the future. You have the following options:
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
Step 7 Click Search to start the search.
Your search results appear in the default workflow for the table you are searching, constrained by time (if applicable). To use a different workflow, including a custom workflow, click (switch workflow) by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings. Note that you cannot use a different workflow for scan results.
Loading a Saved Search
If you previously saved a search, you can load it, make any necessary modifications, and then start the search.
Access: Admin/Any Security Analyst
Step 1 You have the following options:
Step 2 Select the search you want to load from the Custom Searches list or the Predefined Searches list.
Settings from the saved search populate the search constraints.
Step 3 Optionally, change the search constraints.
The events that match your search constraints appear.
Deleting a Saved Search
If you have saved searches, you can delete them from the Search page.
Access: Admin/Any Security Analyst
Step 1 You have the following options:
Step 2 From the Custom Searches list, select the search you want to delete and click the delete icon (
) that appears next to the search name.
Using Wildcards and Symbols in Searches
Many text fields on search pages allow you to use an asterisk (*) to match characters in a string. For example, specifying
net*
matches
network
,
netware
,
netscape
, and so on.
If you want to search for non-alphanumeric characters (including the asterisk character), enclose the search string in quotation marks. For example, to search for the string:
Note that in text fields that allow a wildcard, you
must
use the wildcard if you want to match a partial string. For example, if you are searching the audit log for all audit records that involve page views (that is, the message is Page View), searching for
Page
returns no results. Instead, specify
Page*
.
Using Objects and Application Filters in Searches
The FireSIGHT System allows you to create named objects, object groups, and application filters that can be used as part of your network configuration. You can use these objects, groups, and filters as search criteria when performing or saving searches.
When you perform a search, objects, object groups, and application filters appear in the format,
${object_name}
. For example, a network object with the object name
ten_ten_network
appears as
${ten_ten_network}
in a search.
You can click the add object icon (
) that appears next to a search field where you can use an object as a search criterion.
Specifying Time Constraints in Searches
You can use a number of formats for specifying time search constraints. You can enter a time you want to match, and, optionally, a less than (
<
) or greater than (
>
) operator to match times before or after the time you enter.
The formats accepted by search criteria fields that take a time value are shown in the following table.
You can precede a time value with one of the following operators/keyword.
Specifying IP Addresses in Searches
When specifying IP addresses in searches, you can enter an individual IP address, a comma-separated list of addresses, an address block, or a range of IP addresses separated with a hyphen (-). You can also use negation.
For searches that support IPv6 (such as intrusion event, connection data, and correlation event searches) you can enter IPv4 and IPv6 addresses and CIDR/prefix length address blocks in any combination.
When you use CIDR or prefix length notation to specify a block of IP addresses, the FireSIGHT System uses
only
the portion of the network IP address specified by the mask or prefix length. For example, if you type
10.1.2.3/8
, the FireSIGHT System uses
10.0.0.0/8
.
The following table contains examples of valid ways to enter IP addresses. Because IP addresses can be represented by network objects, you can also click the add network object icon (
) that appears next to an IP address search field to use a network object as an IP address search criterion. For more information, see Using Objects and Application Filters in Searches.
a comma-separated list of IP addresses. Do not add a space before or after the commas. |
||
a range of IP addresses that can be specified with a CIDR block or prefix length |
the IP address block in IPv4 CIDR or IPv6 prefix length notation. |
This specifies any IP in the 192.168.1.0 network with a subnet mask of 255.255.255.0, that is, 192.168.1.0 through 192.168.1.255. For more information, see IP Address Conventions. |
a range of IP addresses that cannot be specified with a CIDR block or prefix |
the IP address range using a hyphen. Do not add a space before or after the hyphen. |
|
negation of any of the other ways to specify IP addresses or ranges of IP addresses |
an exclamation point in front of the IP address, block, or range. |
Specifying Devices in Searches
When creating a search using a managed device as a constraint, you can specify any of the following in the Device search criteria field:
- A managed device name, IP address, or host name
- A device group name
- A device stack name
- A device cluster name
If the system finds a match for a group, cluster, or stack, it replaces the group, cluster, or stack name with the appropriate member device names for the purpose of performing the search. When you save a search that uses a device group, cluster, or stack in the device field the system saves the name specified in the device field and performs the device name replacement again each time the search is executed.
Specifying Ports in Searches
The FireSIGHT System accepts specific syntax for port numbers in searches. You can enter:
- a single port number
- a comma-separated list of port numbers
- two port numbers separated by a dash to represent a range of port numbers
- a port number followed by a protocol abbreviation, separated by a forward slash (only when searching for intrusion events)
- a port number or range of port numbers preceded by an exclamation mark to indicate a negation of the specified ports
Note Do not use spaces when specifying port numbers or ranges.
The following table contains examples of valid ways to enter ports as search constraints.
Stopping Long-Running Queries
Supported Devices: Any Defense Center
System administrators can use a shell-based query management tool to locate and stop long-running queries.
Note Leaving the search page in the web interface does not stop a query. Queries that take a long time to return results impact overall system performance while the query is running.
The query management tool allows you to locate queries running longer than a specified number of minutes and stop those queries. The tool logs an event to the audit log and to syslog when you stop a query.
Note that the only locally-created user with shell access on Defense Centers is the
admin
user. If you use an external authentication object which grants shell access, users matching the shell access filter can also log into the shell.
Lists all queries taking longer than passed in minutes. By
default it will show all queries taking longer than 1 minute.
Kills the query with the passed in id. The option can take
Kills all queries taking longer than passed in minutes.
Verbose output including full SQL queries.
To stop a query on the Defense Center:
Access:
admin
or other user granted shell access
Step 1 Connect to the Defense Center via
ssh
.
Step 2 Run
query_manager
under
sudo
using the syntax described above.
Feedback