Using Workflows

Procedure


Step 1

Choose the appropriate menu path and option as described in Workflow Selection.

Step 2

Navigate within the current workflow:

  • To view all of the columns available in your chosen event data type, use table view pages; see Using Table View Pages.

  • To view a subset of the columns available in your chosen event data type, use drill-down pages; see Using Drill-Down Pages.

  • To display the corresponding row in the next page of the workflow, click Down-Arrow (down-arrow icon).

  • To move among the pages of a multipage workflow, use the tools at the bottom of each page; see Workflow Page Traversal Tools.

  • To view the same constraints applied within a workflow for a different type of event, click Jump to and choose the event view from the drop-down list.

Step 3

Modify the display of the current workflow:

  • Check the check boxes by one or more rows on a page to indicate which row(s) you want to affect, then click one of the buttons at the bottom of the page (for example, View) to perform that action for all selected rows.

  • Check the check box at the top of the row to select all the rows on the page, then click one of the buttons at the bottom of the page (for example, View) to perform that action for all rows on the page.

  • Constrain the columns in the display by clicking Close (close icon) in the column heading that you want to hide. In the pop-up window that appears, click Apply

    Tip

    To hide or show other columns, check or clear the appropriate check boxes before you click Apply. To add a disabled column back to the view, click the expand arrow to expand the search constraints, then click the column name under Disabled Columns.

  • Constrain the data view by selected values for selected fields. For information, see Event View Constraints and Compound Event View Constraints.

  • Change the time constraints on the event view. The date range located in the upper right corner of the page sets a time range for events to include in the workflow; for information, see Event Time Constraints.

    Note

    Events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.

  • To sort data by columns, click the name of a column. To reverse the sort order, click the column name again. The direction indicates which column the data is sorted by, and whether the sort is Ascending or Descending.

  • Click a workflow page link to display that page using any active constraints. Workflow page links appear in the upper left corner of predefined workflow table views and drill-down pages, above events and below the workflow name.

Step 4

View additional data within the current workflow:

  • To view the file's trajectory map in a new window, click network file trajectory in file name and SHA-256 hash value columns. The icon is different depending on the file status; see File Trajectory Icons.

  • To display a pop-up window of the host profile associated with an IP address, click host profile in any IP address column. The icon is different depending on the file status; see Host Profile Icons.

  • To view the Dynamic Analysis Summary report for the highest threat score associated with a file, click threat score in any threat score column. The icon is different depending on the file’s highest threat score; see Threat Score Icons.

  • To view user profile information, click User or, for users associated with an indication of compromise, Red User in any user identity column. The user icon is dimmed if that user cannot be in the database (that is, is an AMP for Endpoints Connector user).

  • To view vulnerability details for third-party vulnerabilities, click Vulnerability in any third-party vulnerability ID column.

  • When viewing aggregated data points, hover your pointer over the flag to view the country name.

  • When viewing individual data points, click flag to view further geolocation details described in Geolocation.

Step 5

Navigate to a different workflow:

To view the same event type using a different workflow, click (switch workflow) next to the workflow title, then choose the workflow you want to use. Note that you cannot use a different workflow for scan results.