Filter Live or Historical Events

FTD Events

• Connection - Displays connection events from access control rules.

• File - Displays events reported by file policies in access control rules.

• Intrusion - Displays events reported by intrusion policy in access control rules.

• Malware - Displays events reported by malware policies in access control rules.

ASA Events - These event types represent groups of syslog or NetFlow events.

See CDO Event Types for more information about events.

• Parsed Events-Parsed syslog events contain more event attributes than other syslog events and CDO is able to return search results based on those attributes more quickly. Parsed events are not a filtering category; however, parsed event IDs are displayed in the Event Types column in italics. Event IDs that are not displayed in italics are not parsed.

Time Range-Click the Start or End time fields to select the beginning and end of the time period you want to display. The time stamp is displayed in the local time of your computer.

Action- Specifies the security action defined by the rule. The value you enter must be an exact match to what you want to find; however, the case doesn't matter. Enter different values for connection, file, intrusion, malware, syslog, and NetFlow event types:

• For connection event types, the filter searches for matches in the AC_RuleAction attribute. Those values could be Allow, Block, Trust.

• For file event types, the filter searches for matches in the FileAction attribute. Those values could be Allow, Block, Trust.

• For intrusion event types, the filter searches for matches in the InLineResult attribute. Those values could be Allowed, Blocked, Trusted.

• For malware event types, the filter searches for matches in the FileAction attribute. Those values could be Cloud Lookup Timeout.

• For syslog and NetFlow events types, the filter searches for matches in the Action attribute.

Sensor ID-The Sensor ID is the the Management IP address from which events are sent to the Secure Event Connector.

For an FDM-managed device, the Sensor ID is typically the IP address of the device's management interface.

IP addresses

• Initiator -This is the IP address of the source of the network traffic. The value of the Initiator address field corresponds to the value of the InitiatorIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.

• Responder-This is the destination IP address of the packet. The value of the Destination address field corresponds to the value in the ResponderIP field in the event details. You can enter a single address, such as 10.10.10.100, or a network defined in CIDR notation such as 10.10.10.0/24.

Ports

• Initiator-The port or ICMP type used by the session initiator. The value of the source port corresponds to the value fo the InitiatorPort in the event details. (Add a range - starting port ending port and space in between or both initiator and responder)

• Reponder-The port or ICMP code used by the session responder. The value of the destination port corresponds to the value of the ResponderPort in the event details.

NetFlow-ASA NetFlow events are different than syslog events. The NetFlow filter searches for all NetFlow events IDs that resulted in an NSEL record. Those "NetFlow event IDs" are defined in the Cisco ASA NetFlow Implementation Guide.