Skip to main content

 

 

Cisco Defense Orchestrator

Searching for and Filtering Events in the Event Logging Page

Searching and filtering the Historical and Live event tables for specific events, works the same way as it does when searching and filtering for other information in CDO. As you add filter criteria, CDO starts to limit what it displays on the Events page. You can also enter search criteria in the search field to find events with specific values. If you combine the filtering and searching mechanisms, search tries to find the value you entered from among the results displayed after filtering the events. 

Filtering works the same way for Live events as it does for Historical events with the exception that live events cannot be filtered by time.

Filter Live or Historical Events

  1. In the navigation bar, click Monitoring > Event Logging. 
  2. Click either the Historical or Live tab.
  3. Click the filter button filter_icon.png. The filtering column can be pinned open by clicking the pin icon pin_icon.jpg
  4. Select the event details you want to filter by:
  • FTD Event Types
    • Connection-Displays connection events from access control rules.
    • File-Displays events reported by file policies in access control rules.
    • Intrusion-Displays events reported by intrusion policy in access control rules.
    • Malware-Displays events reported by malware policies in access control rules. 

See Firepower Threat Defense Event Types for more information about these event types.

  • ASA Event Types-These event types represent groups of syslog or NetFlow events.
    See ASA Event Types for more information about which syslog ID or which NetFlow ID is included in which group.
    • Parsed Events-Parsed syslog events contain more event attributes than other syslog events and CDO is able to return search results based on those attributes more quickly. Parsed events are not a filtering category; however, parsed event IDs are displayed in the Event Types column in italics. Event IDs that are not displayed in italics are not parsed. 
  • Time Range-Click the Start or End time fields to select the beginning and end of the time period you want to display. The time stamp is displayed in the local time of your computer. 
  • Action- Specifies the security action defined by the rule. The value you enter must be an exact match to what you want to find; however, the case doesn't matter. Enter different values for connection, file, intrusion, malware, syslog, and NetFlow event types:
    •    For connection event types, the filter searches for matches in the AC_RuleAction attribute. Those values could be Allow, Block, Trust.
    •    For file event types, the filter searches for matches in the FileAction attribute. Those values could be Allow, Block, Trust.
    •    For intrusion event types, the filter searches for matches in the InLineResult attribute. Those values could be Allowed, Blocked, Trusted.
    •    For malware event types, the filter searches for matches in the FileAction attribute. Those values could be Cloud Lookup Timeout.
    •    For syslog and NetFlow events types, the filter searches for matches in the Action attribute. 
  • Sensor ID-The Sensor ID is the the Management IP address from which events are sent to the Secure Event Connector. For a Firepower Threat Defense (FTD) device, the Sensor ID is typically the IP address of the device's management interface.
  • IP addresses
    • Initiator -This is the IP address of the source of the network traffic. The value of the Initiator address field corresponds to the value of the InitiatorIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
    • Responder-This is the destination IP address of the packet. The value of the Destination address field corresponds to the value in the ResponderIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.
  • Ports 
    • Initiator-The port or ICMP type used by the session initiator. The value of the source port corresponds to the value fo the InitiatorPort in the event details. (Add a range - starting port ending port and space in between or both initiator and responder)
    • Reponder-The port or ICMP code used by the session responder. The value of the destination port corresponds to the value of the ResponderPort in the event details.
  • NetFlow-NetFlow events are different than syslog events. The NetFlow filter searches for all NetFlow events IDs that resulted in an NSEL record. Those "NetFlow event IDs" are defined in the Cisco ASA NetFlow Implementation Guide
  1. Review the results in the Events viewer.

Filter Only NetFlow Events

This procedure finds only ASA NetFlow events:

  1. From the CDO menu bar, select Monitoring > Event Logging.
  2. Click the Filter icon filter_icon.png and pin the filter open.
  3. Check Netflow ASA Event filter. 
  4. Clear all other ASA Event filters.

Only ASA NetFlow events are displayed in the Event Logging table.

Filter for ASA or FTD Syslog Events but not ASA NetFlow Events

This procedure finds only syslog events:

  1. From the CDO menu bar, select Monitoring > Event Logging.
  2. Click the Filter icon filter_icon.png and pin the filter open.
  3. Scroll to the bottom of the filter bar and make sure the Include NetFlow Events filter is unchecked
  4. Scroll back up to the ASA Events filter tree, and make sure the NetFlow box is unchecked. 
  5. Pick the rest of your ASA or FTD filter criteria.

Combine Filter Elements

Filtering events generally follows the standard filtering rules in CDO: The filtering categories are "and-ed" and the values within the categories are "or-ed."  You can also combine the filter with your own search criteria. In the case of event filters; however, the device event filters are also "or-ed." For example, if these values were chosen in the filter:

events_filter_2.jpg

With this filter in use, CDO would display FTD Connection events or ASA BotNet or Firewall Traffic events, and those events that occurred between the two times in the time range, and those events that also contain the ResponderPort 443. You can filter by historical events within a time range. The live events page always displays the most recent events.  

Filter with Attribute:Value Pairs

You can filter live or historical events by entering an event attribute and a value in the search field.

Use this syntax when you enter the attribute:value pairs, attribute:value. For example, the figure above shows the attribute:value pair ResponderID:10.10.0.43.

If you are searching for a string value containing spaces, surround the string in quotes, for example: NAP_Policy:"Balanced Security and Connectivity".

To filter events by their attribute:value pairs, follow this procedure:

  1. Expand an event.
  2. Copy the attribute and value you want to filter on.
  3. Paste them in the search field.
  4. Edit the search string so it matches the attribute:value syntax and that it contains the values you want to search for. The search is case insensitive.

AND, OR, NOT Filter Operators

AND

Use the AND operator in the filter string, to find events that include all attributes. For example, this filter string,

Protocol:tcp AND InitiatorIP:10.10.10.43

will display events that include both the tcp protocol AND the InitiatorIP address 10.10.10.43 in the Events viewer.

OR

Use the OR operator in the filter string, to find events that include any of the attributes. For example, this filter string,

InitiatorIP:10.10.10.43 OR ResponderIP:10.10.10.43

will display events where the IntiatorIP or the ResponderIP is 10.10.10.43 in the Events viewer.

NOT

Use the NOT operator in the filter string to exclude events that contain certain attributes. For example, this filter string,

InitiatorIP:10.10.10.42 AND NOT ResponderIP:10.10.10.1

will display events with the source IP 10.10.10.42 but not those whose destination IP address is also 10.10.10.1

Wildcard Searches

Use an asterick (*) to represent a wildcard in the value field of an attribute:value search to find results within events. For example, this filter string,

URL:*feedback*

will find strings in the URL attribute field of events that contain the string feedback.