Skip to main content

 

 

Cisco Defense Orchestrator

Viewing Live and Historical Threat Defense Events in CDO

View Live Events

The Live events page shows the most recent 500 events that match the filter and search criteria you entered. If the Live events page displays the maximum of 500 events, and more events stream in, CDO displays the newest live events, and transfers the oldest live events to the Historical events page, keeping the total number of live events at 500. That transfer takes roughly a minute to perform. If no filtering criteria is added, you will see all the latest Live 500 events generated by rules configured to log events.

The time stamp of an event is displayed in the local time of the CDO admin viewing the events. 

Changing the filtering criteria, whether live events are playing or paused, clears the events screen and restarts the collection process.

To see live events in the CDO Events viewer:

  1. In the navigation pane, click Monitoring > Event Logging. 
  2. Click the Live tab.

Play/Pause Live Events

You can "play" play_icon.jpg or "pause" pause_icon.jpg live events as they stream in. If live events are "playing," CDO displays events that match the filtering criteria specified in the Events viewer in the order they are received. If events are paused, CDO does not update the Live events page until you restart playing live events. When you restart playing events, CDO begins populating events in the Live page from the point at which you restarted playing events. It doesn't back-fill the ones you missed.

To view all the events that CDO received whether you played or paused live event streaming, click the Historical tab. 

Auto-pause Live Events

After displaying events for about 5 consecutive minutes, CDO warns you that it is about to pause the stream of live events. At that time, you can click the link to continue streaming live events for another 5 minutes or allow the stream to stop. You can restart the live events stream when you are ready. 

Receiving and Reporting Events

There may be a small lag between the Secure Event Connector (SEC) receiving events and CDO posting events in the Live events viewer. You can view the gap on the Live page. The time stamp of the event is the time it was received by SEC.

live_event_gap.jpg

View Historical Events

The Live events page shows the most recent 500 events that match the filter and search criteria you entered. Events older than the most recent 500 are transferred to the Historical events table. That transfer takes roughly a minute to perform. You can then filter all the events you have stored to find events you're looking for.

To view historical events:

  1. In the navigation pane, click Monitoring > Event Logging.
  2. Click the Historical tab. By default, when you open the Historical events table, the filter is set to display the events collected within the last hour. 

The event attributes are largely the same as what is reported by Firepower Device Manager. For a complete description of Firepower Threat Defense event attributes, see Cisco Firepower Threat Defense Syslog Messages.