Skip to main content

 

 

Cisco Defense Orchestrator

Filtering Events in the Event Logging Page

Filtering is immediately responsive. As you add filter and search criteria, CDO starts to limit what it displays on the Events page. If you do not enter any events in the filter or search criteria, you see all events. Filtering works the same way for Live events as it does for Historical events with the exception that live events cannot be filtered by time.

To filter live or historical events:

  1. In the navigation bar, click Monitoring > Event Logging. 
  2. Click either the Historical or Live tab.
  3. Click the filter button filter_icon.png. The filtering column can be pinned open by clicking the pin icon pin_icon.jpg
  4. Select the event details you want to filter by:
  • Event Types
    • Connection-Displays connection events from access control rules.
    • File-Displays events reported by file policies in access control rules.
    • Intrusion-Displays events reported by intrusion policy in access control rules.
    • Malware-Displays events reported by malware policies in access control rules. 

See Firepower Threat Defense Event Types for more information about these event types.

  • Time Range-Click the Start or End time fields to select the beginning and end of the time period you want to display. The time stamp is displayed in the local time of your computer. 
  • Action-Specify the security action defined by the rule. The value you enter must be an exact match to what you want to find and the field is case-sensitive. Enter different values for connection, file, intrusion, and malware event types:
    • For connection event types, the filter searches for matches in the AC_RuleAction attribute. Those values could be Allow, Block, Trust.
    • For file event types, the filter searches for matches in the FileAction attribute. Those values could be Allow, Block, Trust.
    • For intrusion event types, the filter searches for matches in the InLineResult attribute. Those values could be Allowed, Blocked, Trusted.
    • For malware event types, the filter searches for matches in the FileAction attribute. Those values could be Cloud Lookup Timeout.
  • Sensor ID-The Sensor ID is the the Management IP address from which events are sent to the Secure Event Connector. For a Firepower Threat Defense (FTD) device, the Sensor ID is typically the IP address of the device's management interface.
  • IP addresses
    • Initiator -This is the IP address of the source of the network traffic. The value of the Initiator address field corresponds to the value of the InitiatorIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
    • Responder-This is the destination IP address of the packet. The value of the Destination address field corresponds to the value in the ResponderIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
  • Ports 
    • Initiator-The port or ICMP type used by the session initiator. The value of the source port corresponds to the value fo the InitiatorPort in the event details. (Add a range - starting port ending port and space in between or both initiator and responder)
    • Reponder-The port or ICMP code used by the session responder. The value of the destination port corresponds to the value of the ResponderPort in the event details.
  1. Review the results in the Events viewer.

Combining Filter Elements

Filtering follows standard filtering rules in CDO: The filtering categories are "and-ed" and the values within the categories are "or-ed."  You can also combine the filter with your own search criteria. For example, if these values were chosen in the filter:

events_filter.jpg

With this filter in use, CDO would display Connection or Malware event types, and those that occurred between the two times in the time range, and those that contained the ResponderIP 10.10.0.43. You can filter by historical events within a time range. The live events page always displays the most recent events.  

Filtering with Attribute:Value Pairs

You can filter live or historical events by entering an event attribute and a value in the search field.

Use this syntax when you enter the attribute:value pairs, attribute:value. For example, the figure above shows the attribute:value pair ResponderID:10.10.0.43.

If you are searching for a string value containing spaces, surround the string in quotes, for example: NAP_Policy:"Balanced Security and Connectivity".

To filter events by their attribute:value pairs, follow this procedure:

  1. Expand an event.
  2. Copy the attribute and value you want to filter on.
  3. Paste them in the search field.
  4. Edit the search string so it matches the attribute:value syntax and that it contains the values you want to search for.

Important: CDO's search for the attribute is case insensitive. CDO's search for the value is case sensitive

AND, OR, NOT Filter Operators

AND

Use the AND operator in the filter string, to find events that include all attributes. For example, this filter string,

Protocol:tcp AND InitiatorIP:10.10.10.43

will display events that include both the tcp protocol AND the InitiatorIP address 10.10.10.43 in the Events viewer.

OR

Use the OR operator in the filter string, to find events that include any of the attributes. For example, this filter string,

InitiatorIP:10.10.10.43 OR ResponderIP:10.10.10.43

will display events where the IntiatorIP or the ResponderIP is 10.10.10.43 in the Events viewer.

NOT

Use the NOT operator in the filter string to exclude events that contain certain attributes. For example, this filter string,

InitiatorIP:10.10.10.42 AND NOT ResponderIP:10.10.10.1

will display events with the source IP 10.10.10.42 but not those whose destination IP address is also 10.10.10.1

Wildcard Searches

Use an asterick (*) to represent a wildcard in the value field of an attribute:value search to find results within events. For example, this filter string,

URL:*feedback*

will find strings in the URL attribute field of events that contain the string feedback.