- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Specifying User Preferences
You can configure the preferences that are tied to a single user account, such as the home page, account password, time zone, dashboard, and event viewing preferences.
Depending on your user role, you can specify certain preferences for your user account, including passwords, event viewing preferences, time zone settings, and home page preferences. See the following sections for more information:
- Changing Your Password explains how to change the password for your user account.
- Specifying Your Home Page explains how to use one of the existing pages as your default home page. After setting this value, this becomes the first page you see upon logging into the appliance.
- Configuring Event View Settings describes how the event preferences affect what you see as you view events.
- Setting Your Default Time Zone explains how to set the time zone for your user account and describes how that affects the time stamp on the events that you view.
- Specifying Your Default Dashboard explains how to choose which of the dashboards you want to use as your default dashboard.
Changing Your Password
Supported Devices: Series 2, Series 3
Supported Defense Centers: Any
All user accounts are protected with a password. You can change your password at any time, and depending on the settings for your user account, you may have to change your password periodically; see Changing an Expired Password.
Note that if password strength checking is enabled, passwords must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.
Note If you are an LDAP or a RADIUS user, you cannot change your password through the web interface.
Step 1 From the drop-down list under your user name, select User Preferences .
The Change Password page appears.
Step 2 In the Current Password field, type your current password and click Change .
Step 3 In the New Password and Confirm fields, type your new password.
A success message appears on the page when your new password is accepted by the system.
Changing an Expired Password
Supported Devices: Series 2, Series 3
Supported Defense Centers: Any
Depending on the settings for your user account, your password may expire. Note that the password expiration time period is set when your account is created and cannot be changed. If your password has expired, the Password Expiration Warning page appears.
To respond to the password expiration warning:
If you have zero warning days left, you must change your password. Also, if password strength checking is enabled, passwords must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.
Specifying Your Home Page
You can specify a page within the web interface as your home page for the appliance. The default home page is the Summary Dashboard ( Overview > Dashboards ), except for user accounts with no dashboard access, which use the Welcome page.
Access: Any except External Database User
Step 1 From the drop-down list under your user name, select User Preferences .
The Change Password page appears.
Step 3 Select the page you want to use as your home page from the drop-down list.
The options in the drop-down list are based on the access privileges for your user account. For more information, see User Account Privileges.
Your home page preference is saved.
Configuring Event View Settings
Use the Event View Settings page to configure characteristics of event views in the FireSIGHT System. Note that some event view configurations are available only for specific user roles. Users with the External Database User role can view parts of the event view settings user interface, but changing those settings has no meaningful result. For details, see the individual sections linked below.
To configure event preferences:
Step 1 From the drop-down list under your user name, select User Preferences .
The User Preferences page appears.
Step 2 Click Event View Settings .
The Event View Settings page appears.
Step 3 Configure the basic characteristics of event views.
For more information, see Event Preferences.
Step 4 Configure file download preferences.
For more information, see File Preferences.
Step 5 Configure the default time window or windows.
For more information, see Default Time Windows.
Step 6 Configure default workflows.
For more information, see Default Workflows.
Event Preferences
Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event views in the FireSIGHT System. This section is available for all user roles, although it has little to no significance for users who cannot view events.
The following fields appear in the Event Preferences section:
- The Confirm “All” Actions field controls whether the appliance forces you to confirm actions that affect all events in an event view.
For example, if this setting is enabled and you click Delete All on an event view, you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database.
- The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views.
Note that an event view may be slow to display if it contains a large number of IP addresses and you have enabled this option. Note also that for this setting to take effect, you must have a DNS server configured in the system settings; see Configuring Management Interfaces.
- The Expand Packet View field allows you to configure how the packet view for intrusion events appears. By default, the appliance displays a collapsed version of the packet view:
– None - collapse all subsections of the Packet Information section of the packet view
– Packet Text - expand only the Packet Text subsection
– Packet Bytes - expand only the Packet Bytes subsection
Regardless of the default setting, you can always manually expand the sections in the packet view to view detailed information about a captured packet. For more information on the packet view, see Using the Packet View.
- The Rows Per Page field controls how many rows of events per page you want to appear in drill-down pages and table views.
-
The
Refresh Interval
field sets the refresh interval for event views in minutes. Entering
0disables the refresh option. Note that this interval does not apply to dashboards. -
The
Statistics Refresh Interval
controls the refresh interval for event summary pages such as the Intrusion Event Statistics and Discovery Statistics pages. Entering
0disables the refresh option. Note that this interval does not apply to dashboards. - The Deactivate Rules field controls which links appear on the packet view of intrusion events generated by standard text rules:
– All Policies - a single link that deactivates the standard text rule in all the locally defined custom intrusion policies
– Current Policy - a single link that deactivates the standard text rule in only the currently applied intrusion policy. Note that you cannot deactivate rules in the default policies.
– Ask - links for each of these options
To see these links on the packet view, your user account must have either Administrator or Intrusion Admin access.
File Preferences
Supported Devices: feature dependent
Supported Defense Centers: feature dependent
Use the File Preferences section of the Event View Settings page to configure basic characteristics of local file downloads. This section is only available to users with the Administrator, Security Analyst, or Security Analyst (Read Only) user roles.
Note that if your appliance does not support downloading captured files, these options are disabled. Because you cannot use a Malware license with a DC500, you cannot use those appliances to download files or modify these options.
The following fields appear in the File Preferences section:
- The Confirm ‘Download File’ Actions check box controls whether a File Download pop-up window appears each time you download a file, displaying a warning and prompting you to continue or cancel.
Caution Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.
Note that you can disable this option any time you download a file. For more information on downloading files, see Downloading Stored Files to Another Location.
- When you download a captured file, the system creates a password-protected .zip archive containing the file. The Zip File Password field defines the password you want to use to restrict access to the .zip file. If you leave this field blank, the system creates archive files without passwords.
- The Show Zip File Password check box toggles displaying plain text or obfuscated characters in the Zip File Password field. When this field is cleared, the Zip File Password displays obfuscated characters.
Default Time Windows
The time window, sometimes called the time range, imposes a time constraint on the events in any event view. Use the Default Time Windows section of the Event View Settings page to control the default behavior of the time window.
User role access to this section is as follows:
- Administrators and Maintenance Users can access the full section.
- Security Analysts and Security Analysts (Read Only) can access all options except Audit Log Time Window .
- Access Admins, Discovery Admins, External Database Users, Intrusion Admins, Network Admins, and Security Approvers can access only the Events Time Window option.
Note that, regardless of the default time window setting, you can always manually change the time window for individual event views during your event analysis. Also, keep in mind that time window settings are valid for only the current session. When you log out and then log back in, time windows are reset to the defaults you configured on this page. For more information, see Setting Event Time Constraints.
There are three types of events for which you can set the default time window:
- The Events Time Window sets a single default time window for most events that can be constrained by time.
- The Audit Log Time Window sets the default time window for the audit log.
- The Health Monitoring Time Window sets the default time window for health events.
You can only set time windows for event types your user account can access. All user types can set event time windows. Administrators, Maintenance Users, and Security Analysts can set health monitoring time windows. Administrators and Maintenance Users can set audit log time windows.
Note that because not all event views can be constrained by time, time window settings have no effect on event views that display hosts, host attributes, applications, clients, vulnerabilities, user identity, or white list violations.
You can either use Multiple time windows, one for each of these types of events, or you can use a Single time window that applies to all events. If you use a single time window, the settings for the three types of time window disappear and a new Global Time Window setting appears.
There are three types of time window:
- static , which displays all the events generated from a specific start time to a specific end time
- expanding , which displays all the events generated from a specific start time to the present; as time moves forward, the time window expands and new events are added to the event view
- sliding , which displays all the events generated from a specific start time (for example, one day ago) to the present; as time moves forward, the time window “slides” so that you see only the events for the range you configured (in this example, for the last day)
The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).
The following options appear in the Time Window Settings drop-down list:
- The Show the Last - Sliding option allows you configure a sliding default time window of the length you specify.
The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window “slides” so that you always see events from the last hour.
- The Show the Last - Static/Expanding option allows you to configure either a static or expanding default time window of the length you specify.
For static time windows, enable the Use End Time check box. The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window expands to the present time.
- The Current Day - Static/Expanding option allows you to configure either a static or expanding default time window for the current day. The current day begins at midnight, based on the time zone setting for your current session.
For static time windows, enable the Use End Time check box. The appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from midnight to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 24 hours before you log out, this time window can be more than 24 hours.
- The Current Week - Static/Expanding option allows you to configure either a static or expanding default time window for the current week. The current week begins at midnight on the previous Sunday, based on the time zone setting for your current session.
For static time windows, enable the Use End Time check box. The appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from midnight Sunday to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 1 week before you log out, this time window can be more than 1 week.
Default Workflows
A workflow is a series of pages displaying data that analysts use to evaluate events. For each event type, the appliance ships with at least one predefined workflow. For example, as a Security Analyst, depending on the type of analysis you are performing, you can choose among ten different intrusion event workflows, each of which presents intrusion event data in a different way.
The appliance is configured with a default workflow for each event type. For example, the Events by Priority and Classification workflow is the default for intrusion events. This means whenever you view intrusion events (including reviewed intrusion events), the appliance displays the Events by Priority and Classification workflow.
You can, however, change the default workflow for each event type using the Default Workflows sections of the Event View Settings page.
Keep in mind that the default workflows you are able to configure depend on your user role. For example, intrusion event analysts cannot set default discovery event workflows. For general information on workflows, see Understanding and Using Workflows.
Setting Your Default Time Zone
You can change the time zone used to display events from the standard UTC time that the appliance uses. When you configure a time zone, it applies only to your user account and is in effect until you make further changes to the time zone.
Caution The Time Zone function assumes that the default system clock is set to UTC time. If you have changed the system clock on the appliance to use a local time zone, you must change it back to UTC time in order to view accurate local time on the appliance. For more information about time synchronization between the Defense Center and the managed devices, see Synchronizing Time.
Step 1 From the drop-down list under your user name, select User Preferences .
The Change Password page appears.
Step 2 Click Time Zone Settings .
The Time Zone Preference page appears.
Step 3 From the left list box, select the continent or area that contains the time zone you want to use.
For example, if you want to use a time zone standard to North America, South America, or Canada, select America .
Step 4 From the right list box, select the zone (city name) that corresponds with the time zone you want to use.
For example, if you want to use Eastern Standard Time, you would select New York after selecting America in the first time zone box.
Specifying Your Default Dashboard
You can specify one of the dashboards on the appliance as the default dashboard. The default dashboard appears when you select Overview > Dashboards . If you do not have a default dashboard defined, the Dashboard List page appears. For general information on dashboards, see Using Dashboards.
To specify your default dashboard:
Access: Admin/Maint/Any Security Analyst
Step 1 From the drop-down list under your user name, select User Preferences .
The Change Password page appears.
Step 2 Click Dashboard Settings .
The Dashboard Settings page appears.
Step 3 Select the dashboard you want to use as your default from the drop-down list.
If you select None , when you select Overview > Dashboards , the Dashboard List page appears. You can then select a dashboard to view.
Your default dashboard preference is saved.
Feedback