Using Custom Tables
As the FireSIGHT System collects information about your network, the Defense Center stores it in a series of database tables. When you use a workflow to view the resulting information, the Defense Center pulls the data from one of these tables. For example, the columns on each page of the Network Applications by Count workflow are taken from the fields in the Applications table.
If you determine that your analysis of the activity on your network would be enhanced by combining fields from different tables, you can create a custom table. For example, you could combine the host criticality information from the predefined Host Attributes table with the fields from the predefined Connection Data table and then examine connection data in a new context.
Note that you can create custom workflows for either predefined or custom tables. For more information on creating custom workflows, see Creating Custom Workflows.
The following sections describe how to create and use your own custom tables:
Understanding Custom Tables
License:
FireSIGHT
Custom tables contain fields from two or more predefined tables. The FireSIGHT System is delivered with a number of system-defined custom tables, but you can create additional custom tables that contain only information that matches your specific needs.
For example, the FireSIGHT System is delivered with system-defined custom tables that correlate intrusion event data with host data, so you can search for events that impact critical systems and view the results of that search in one workflow. The following table describes the custom tables provided with the system.
Table 59-1 System-Defined Custom Tables
|
|
Hosts with Servers
|
Includes fields from the Hosts and Servers tables, providing you with information about the detected applications running on your network, as well as basic operating system information about the hosts running those applications.
|
Intrusion Events with Destination Criticality
|
Includes fields from the Intrusion Events table and the Hosts table, providing you with information on the intrusion events, as well as the host criticality of the destination host involved in each intrusion event.
Tip Use this table to search for intrusion events involving destination hosts with high host criticality.
|
Intrusion Events with Source Criticality
|
Includes fields from the Intrusion Events table and the Hosts table, providing you with information on the intrusion events and the host criticality of the source host involved in each intrusion event.
Tip Use this table to search for intrusion events involving source hosts with high host criticality.
|
Understanding Possible Table Combinations
License:
FireSIGHT + Protection
When you create a custom table, you can combine fields from predefined tables that have related data. The following table lists the predefined tables you can combine to create a new custom table. Keep in mind that you can create a custom table that combines fields from more than two predefined custom tables.
Table 59-2 Custom Table Combinations
You can combine fields from...
|
|
Applications
|
-
Correlation Events
-
Intrusion Events
-
Connection Summary Data
-
Host Attributes
-
Application Details
-
Discovery Events
-
Connection Events
-
Hosts
-
Servers
-
White List Events
|
Correlation Events
|
-
Applications
-
Host Attributes
-
Hosts
|
Intrusion Events
|
-
Applications
-
Host Attributes
-
Hosts
-
Servers
|
Connection Summary Data
|
-
Applications
-
Host Attributes
-
Hosts
-
Servers
|
Indications of Compromise
|
-
Applications
-
Application Details
-
Captured Files
-
Connection Events
-
Connection Summary Data
-
Correlation Events
-
Discovery Events
-
Host Attributes
-
Hosts
-
Intrusion Events
-
Security Intelligence Events
-
Servers
-
White List Events
|
Host Attributes
|
-
Applications
-
Correlation Events
-
Intrusion Events
-
Connection Summary Data
-
Application Details
-
Discovery Events
-
Connection Events
-
Hosts
-
Servers
-
White List Events
|
Application Details
|
-
Applications
-
Host Attributes
-
Hosts
|
Discovery Events
|
-
Applications
-
Host Attributes
-
Hosts
|
Connection Events
|
-
Applications
-
Host Attributes
-
Hosts
-
Servers
|
Security Intelligence Events
|
-
Applications
-
Host Attributes
-
Hosts
-
Servers
|
Hosts
|
-
Applications
-
Correlation Events
-
Intrusion Events
-
Connection Summary Data
-
Host Attributes
-
Application Details
-
Discovery Events
-
Connection Events
-
Servers
-
White List Events
|
Servers
|
-
Applications
-
Intrusion Events
-
Connection Summary Data
-
Host Attributes
-
Connection Events
-
Hosts
|
White List Events
|
-
Applications
-
Host Attributes
-
Hosts
|
Sometimes a field in one table maps to more than one field in another table. For example, the predefined
Intrusion Events with Destination Criticality
custom table combines fields from the Intrusion Events table and the Hosts table. Each event in the Intrusion Events table has two IP addresses associated with it—a source IP address and a destination IP address. However, the “events” in the Hosts table each represent a single host IP address (hosts may have multiple IP addresses). Therefore, when you create a custom table based on the Intrusion Events table and the Hosts table, you must choose whether the data you display from the Hosts table applies to the host source IP address or the host destination IP address in the Intrusion Events table.
When you create a new custom table, a default workflow that displays all the columns in the table is automatically created. Also, just as with predefined tables, you can search custom tables for data that you want to use in your network analysis. You can also generate reports based on custom tables, as you can with predefined tables.
For more information on creating custom tables, see:
Creating a Custom Table
License:
FireSIGHT
If you determine that your analysis of the activity on your network would be enhanced by combining fields from different tables, you can create a custom table.
Tip Instead of creating a new custom table, you can export a custom table from another Defense Center, then import it onto your Defense Center. You can then edit the imported custom table to suit your needs. For more information, see Importing and Exporting Configurations.
To create a custom table, decide which predefined tables delivered with the FireSIGHT System contain the fields you want to include in your custom table. You can then choose which fields you want to include and, if necessary, configure field mappings for any common fields.
Tip Data involving the Hosts table allows you to view data associated with all IP addresses from one host, rather than one specific IP address.
For example, consider a custom table that combines fields from the Correlation Events table and the Hosts table. You can use this custom table to get detailed information about the hosts involved in violations of any of your correlation policies. Note that you must decide whether to display data from the Hosts table that matches the source IP address or the destination IP address in the Correlation Events table.
If you view the table view of events for this custom table, it displays correlation events, one per row. The following information is included:
-
the date and time the event was generated
-
the name of the correlation policy that was violated
-
the name of the rule that triggered the violation
-
the IP address associated with the source, or initiating, host involved in the correlation event
-
the source host’s NetBIOS name
-
the operating system and version the source host is running
-
the source host criticality
Tip You could create a similar custom table that displays the same information for destination, or responding, hosts.
To build the custom table in the previous example:
Access:
Admin
Step 1 Select
Analysis > Custom > Custom Tables
.
The Custom Tables page appears.
Step 2 Click
Create Custom Table
.
The Create Custom Table page appears.
Step 3 In the
Name
field, type a name for the custom table, such as
Correlation Events with Host Information (Src IP)
.
Step 4 From the
Tables
drop-down list, select
Correlation Events
.
The fields in the Correlation Events table appear in the
Fields
list.
Step 5 Under
Fields
, select
Time
and click
Add
to add the date and time when a correlation event was generated.
Step 6 Repeat step
5
to add the
Policy
and
Rule
fields.
Tip You can use Ctrl or Shift while clicking to select multiple fields. You can also click and drag to select multiple adjacent values. However, if you want to specify the order the fields appear in the table view of events associated with the table, add the fields one at a time.
Step 7 From the
Tables
drop-down list, select
Hosts
.
The fields in the Hosts table appear in the
Fields
list. For more information on these fields, see Understanding the Hosts Table.
Step 8 Add the
IP Address
,
NetBIOS Name
,
OS Name
,
OS Version
, and
Host Criticality
fields to the custom table.
Step 9 Under
Common Fields
, next to
Correlation Events
, select
Source IP
.
Your custom table is configured to display the host information you chose in step
8
for the source, or initiating, hosts involved in correlation events.
Tip You could create a custom table that displays detailed host information for the destination, or responding, hosts involved in a correlation event by following this procedure but selecting Destination IP instead of Source IP.
Step 10 Click
Save
.
The custom table is saved.
Modifying a Custom Table
License:
FireSIGHT
You can add or delete fields in a custom table as your needs change.
To modify a custom table:
Access:
Any/Admin
Step 1 Select
Analysis > Custom > Custom Tables
.
The Custom Tables page appears.
Step 2 Click the edit icon (
) next to the table you want to edit.
The Edit Custom Table page appears. See Creating a Custom Table for information on the various configurations you can change.
Step 3 Optionally, remove fields from the table by clicking the delete icon (
) next to the fields you want to remove.
Note If you delete fields currently in use in reports, you will be prompted to confirm that you want to remove the sections using those fields from those reports.
Step 4 Make other changes as needed and click
Save
.
Your custom table is updated.
Deleting a Custom Table
License:
FireSIGHT
You can delete a custom table that you no longer need. If you delete a custom table, saved searches that use the custom table are also deleted.
To delete a custom table:
Access:
Any/Admin
Step 1 Select
Analysis > Custom > Custom Tables
.
The Custom Tables page appears.
Step 2 Click the delete icon (
) next to the custom table you want to delete.
The table is deleted.
Viewing a Workflow Based on a Custom Table
License:
FireSIGHT
When you create a custom table, the system automatically creates a default workflow for it. The first page of this workflow displays a table view of events. If you include intrusion events in your custom table, the second page of the workflow is the packet view. Otherwise, the second page of the workflow is a hosts page. You can also create your own custom workflows based on your custom table.
Tip If you create a custom workflow based on a custom table, you can specify it as the default workflow for that table. For more information, see Configuring Event View Settings.
You can use the same techniques to view events in your custom table that you use for event views based on predefined tables. See Using Workflow Pages for more information.
To view a workflow based on a custom table:
Access:
Any/Admin
Step 1 Select
Analysis > Custom > Custom Tables
.
The Custom Tables page appears.
Step 2 Click the view icon (
) next to the custom table on which the workflow you want to see is based.
The first page of the default workflow for the custom table appears. To use a different workflow, click
(switch workflow)
by the workflow title. For information on how to specify a different default workflow, see Configuring Event View Settings. If no events appear and the workflow can be constrained by time, you may need to adjust the time range; see Setting Event Time Constraints.
Searching Custom Tables
License:
FireSIGHT
You can create and save searches for a custom table. You may want to create searches customized for your network environment, then save them to reuse later. Note that if you delete a custom table, all searches you have saved for that custom table are also deleted.
The search criteria you can use are the same as the criteria for the predefined tables you used to build your custom table. See the sections listed in the following table for detailed information on the search criteria you can use.
To implement these criteria in a table search, see the following procedure.
To perform a search on a custom table:
Access:
Any/Admin
Step 1 Select
Analysis > Custom > Custom Tables
.
The Custom Tables page appears.
Step 2 Click the view icon (
) next to the custom table you want to search.
The first page of the default workflow for the custom table appears. To use a different workflow, including a custom workflow, click
(switch workflow)
by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear and the workflow can be constrained by time, you may need to adjust the time range; see Setting Event Time Constraints.
Step 3 Click
Search
.
The custom table’s search page appears.
Tip To search the database for a different kind of event or data, select it from the table drop-down list.
Step 4 Enter your search criteria in the appropriate fields. For more information about choosing search criteria, see the
Table Search Criteria
table.
If you enter criteria for multiple fields, the search returns only the records that match search criteria specified for all fields.
Tip Click the object icon () next to a search field to use an object as a search criterion. For more information on searches, including information on special search syntax, using objects in searches, and saving and loading searches, see Performing and Saving Searches.
Step 5 Optionally, if you plan to save the search, you can select the
Private
check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 6 Optionally, you can save the search to be used again in the future. You have the following options:
-
Click
Save
to save the search criteria.
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click
Save
. If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected
Private
) so that you can run it at a later time.
-
Click
Save As New
to save a new search or assign a name to a search you created by altering a previously-saved search.
A dialog box appears prompting for the name of the search; enter a unique search name and click
Save
. The search is saved (and visible only to your account if you selected
Private
) so that you can run it at a later time.
Step 7 Click
Search
to start the search.
Your search results appear in the default workflow for the custom table, constrained by the current time range (if applicable). To use a different workflow, including a custom workflow, click
(switch workflow)
by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings.