Views:
Use criteria to search for Inspection events.

Procedure

  1. Select EventsInspection Events, and then click the arrow next to Inspection Events to search by the following criteria: filter, filter taxonomy, network, user info, device, segment, rule, or events.
  2. Select the following Filter Criteria.
    Select: To ...
    Filter Details Search for filter name or filter number.
    Filter Category Select filter categories. Expand a listing to select individual entries, or select a top-level list item to include every item listed under it.
    Profile Select a profile.
    Filter Severity Select the severity level or importance of the event.
    • Red/Critical — Indicates critical events that must be looked at immediately.
    • Yellow/Major — Indicates major events that must be looked at soon as possible.
    • Cyan/Minor — Indicates minor events that should be looked at as time permits.
    • Gray/Low — Indicates traffic that is probably normal, but may have security implications.
    Note
    Note
    For corresponding SANS terminology, “Major” equates to “High” and “Minor” equates to “Moderate”.
    Filter Type Search for events by security or application filters.
    Reputation Type Search for events by the following Reputation types:
    • All
    • Both Reputation and geographic
    • Reputation only
    • Geographic only
    • Non-Reputation
    Action Select an action including permit, block, trust, rate limit, or quarantine.
    Suspicious URL Metadata Include or exclude events with suspicious URL metadata.
  3. Select the following Filter Taxonomy Criteria based on the classification, protocol, and platform. To select a consecutive range of entries, press the SHIFT key. To select multiples entries, press the CTRL key.
    Select: To ...
    Classification Select filter classification.
    Protocol Select a protocol.
    Platform Select a platform.
  4. Select the following Network Criteria.
    Select: To ...
    Addresses and Ports Search based on single, multiple, or ranges of source and destination IP addresses or ports. For source or destination IP addresses:
    • Enter multiple IP address separated by commas.
    • Enter a range using a dash (-).
    • Enter one address or a CIDR block.
    • Exclude IP addresses in a CIDR block by using the “!” symbol.
    Enter both types of parameters for ports. For example, to display events that had a source port of 22,25, or between 1000 and 32000, enter “22,25,1000-32000”.
    Packet Trace Locate action sets with packet trace enabled:
    • All
    • Events with Packet Trace
    • Events without Packet Trace
    VLAN Search based on the VLAN ID.
    Additional Event Information Use the client IP address for the source address if available or to search for an HTTP hostname.
  5. Select from the following User Info Criteria.
    Select: To ...
    Users Include or exclude users based on login names or user groups. If no users are specified, Any is the default.
    Click + to add a user. Click - to remove a user.
    Domains Specifies the source and destination IP address of the user domains.
    Machines Specifies the source and destination IP address of the user machines.
  6. Select from the following Device, Segment, Rule Criteria.
    Select: To ...
    Segment/group Group of hosts protected through a licensed pair of ports on a device.
    You can select and add everything within a group, or you can select multiple options within each grouping. Click Add to add a segment, group, device, or stack.
    Device/group/stack Devices managed by the SMS.
  7. Select from the following Event Criteria.
    Select: To ...
    Has comment/Comment Locate events based on whether it has a comment.
    • All
    • Events with comments
    • Events without comments
    Event Number Search by event number.
  8. Enter the number of matching rows (1 – 10,000) to list in the Events table. Limiting the number of row may decrease the query processing time.
  9. Select a time range from the following:
    • Real-time — Displays entries as they occur on the SMS. This option displays data by refreshing the screen. It calculates the refresh rate based on the time it takes to run the query and display the results.
    • By set amount — Displays entries according to a selected time: Last minute, last five minutes, last hour, last 24 hours, and so on. By default, events are shown for the last 15 minutes.
    • By time range — Displays entries during a range of time you select. Type in the field, or click the calendar to select a date.
  10. Click Refresh to update query results.
    The time required to process an event query varies, as many variables affect the amount of time needed for an event query to process including the time range, the number or type of search criteria, and the number of events accumulated within the time range.
  11. To save this query, click Save As, enter a name, and click Save.