Work in Cisco Defense Orchestrator with Connection Events Stored on a Secure Network Analytics Appliance
If your devices are sending connection events to a Secure Network Analytics appliance using Security Analytics and Logging (On Premises), you can view and work with these remotely stored events in the Cisco Defense Orchestrator's event viewer and context explorer, and include them when generating reports. You can also cross-launch from an event in Cisco Defense Orchestrator to view related data on your Secure Network Analytics appliance.
By default, the system automatically selects the appropriate data source based on the time range you specify. If you want to override the data source, use this procedure.
Important | When you change the data source, your selection persists across all of the relevant analytics features that rely on the event data source, including reports, until you change it, even after you sign out. Your selection does not apply to other Cisco Defense Orchestrator users. |
The selected data source is used for low-priority connection events only. All other event types (intrusion, file, and malware events; connection events associated with those events; and Security Intelligence events) are displayed regardless of data source.
Before you begin
You have used the wizard to send connection events to Security Analytics and Logging (On Premises).
Procedure
| Step 1 | In the Cisco Defense Orchestrator web interface, navigate to a page that displays connection event data, such as Analysis > Connections > Events. | ||
| Step 2 | Click the data source displayed here and select an option:  The options are:
| ||
| Step 3 | (Optional) To view related data directly in your Secure Network Analytics appliance, right-click (in the unified event viewer, click) a value such as an IP address or domain and choose a cross-launch option. |