Custom Workflows

The following topics describe how to use custom workflows:

Introduction to Custom Workflows

If the predefined and Cisco-provided custom workflows do not meet your needs, you can create and manage custom workflows.

Custom workflows are workflows that you create to meet the unique needs of your organization. When you create a custom workflow, you choose the kind of event (or database table) on which the workflow is based. On the Firepower Management Center, you can base a custom workflow on a custom table. You can also choose the pages a custom workflow contains; custom workflows can contain drill-down, table view, and host or packet view pages.

If your event evaluation process changes, you can edit custom workflows to meet your new needs. Note that you cannot edit any of the predefined workflows.


Tip


You can set a custom workflow as the default workflow for any event type.


Saved Custom Workflows

In addition to predefined workflows, which cannot be modified, the Firepower Management Center includes several saved custom workflows. Each of these workflows is based on a custom table and can be modified.

In a multidomain deployment, these saved workflows belong to the Global domain and cannot be modified in lower domains.

Table 1. Saved Custom Workflows

Workflow Name

Description

Events by Impact, Priority, and Host Criticality

You can use this workflow to quickly pick out and focus in on hosts that are important to your network, currently vulnerable, and possibly currently under attack.

This workflow is based on the Intrusion Events with Destination Criticality custom table.

Events by Priority and Classification

This workflow lists events and their type in order of event priority, along with a count showing how many times each event has occurred.

This workflow is based on the Intrusion Events custom table.

Events with Destination, Impact, and Host Criticality

You can use this workflow to find the most recent attacks on hosts that are important to your network and currently vulnerable.

This workflow is based on the Intrusion Events with Destination Criticality custom table.

Hosts with Servers Default Workflow

You can use this workflow to quickly view the basic information in the Hosts with Servers custom table.

This workflow is based on the Hosts with Servers custom table.

Intrusion Events with Destination Criticality Default Workflow

You can use this workflow to quickly view the basic information in the Intrusion Events with Destination Criticality custom table.

This workflow is based on the Intrusion Events with Destination Criticality custom table.

Intrusion Events with Source Criticality Default Workflow

You can use this workflow to quickly view the basic information in the Intrusion Events with Source Criticality custom table.

This workflow is based on the Intrusion Events with Source Criticality custom table.

Server and Host Details

You can use this workflow to determine what servers are most frequently used on your network and which hosts are running those servers.

This workflow is based on the Hosts with Servers custom table.

Custom Workflow Creation

If the predefined and Cisco-provided custom workflows do not meet your needs, you can create custom workflows.


Tip


Instead of creating a new custom workflow, you can export a custom workflow from another appliance and then import it onto your appliance. You can then edit the imported workflow to suit your needs.


When you create a custom workflow, you:

  • Select a table to be the source of the workflow

  • Provide a workflow name

  • Add drill-down pages and table view pages to the workflow

For each drill-down page in the workflow, you can:

  • Provide a name that appears at the top of the page in the web interface

  • Include up to five columns per page

  • Specify a default sort order, ascending or descending

You can add table view pages in any position in the sequence of workflow pages. They do not have any editable properties, such as a page name, sort order, or user-definable column positions.


Note


You must add at least one drill-down page or a table view of events to a custom workflow.



Note


If you selected Vulnerabilities as the table type, then add IP Address as a table column, the IP Address column does not appear when you are viewing vulnerabilities using your custom workflow, unless you use the search feature to constrain the workflow to view a specific IP address or block of addresses.


The final page of a custom workflow depends on the table on which you base the workflow, as described in the following table. These final pages are added by default when you create the workflow.

Table 2. Custom Workflow Final Pages

Event/Asset Type

Final Page

Discovery events

Hosts

Vulnerabilities

Vulnerability detail

Third-party vulnerabilities

Hosts

Users

Users

Indications of compromise

Hosts or users

Intrusion events

Packets

The system does not add a final page to custom workflows based on other kinds of events (for example, audit log or malware events).

Custom workflows based on connection data are like other custom workflows, except you can include drill-down pages containing connection summary data, and connection data graph pages as well as drill-down pages containing data for individual connections and table view pages.

Creating Custom Workflows Based on Non-Connection Data

You must have Admin or Security Analyst privileges to create a custom workflow based on non-connetion data.

Procedure


Step 1

Choose Analysis > Advanced > Custom Workflows.

Step 2

Click Create Custom Workflow.

Step 3

Enter a name for the workflow in the Name field.

Step 4

Optionally, enter a Description.

Step 5

Choose the table you want to include from the Table drop-down list.

Step 6

If you want to add one or more drill-down pages to the workflow, click Add Page.

Step 7

Enter a name for the page in the Page Name field.

Step 8

Under Column 1, choose a sort priority and a table column. This column will appear in the leftmost column of the page.

Example:

For example, to create a page showing the destination ports that are targeted, and to sort the page by count, choose 2 from the Sort Priority drop-down list and Destination Port/ICMP Code from the Field drop-down list.

Step 9

Continue choosing fields to include and setting their sort priority until you have specified all the fields you want to appear on the page.

Step 10

If you want to add a table view page to the workflow, click Add Table View.

Step 11

Click Save.


Creating Custom Connection Data Workflows

Custom workflows based on connection data are like other custom workflows, except you can include connection data graph pages as well as drill-down pages and table view pages. You can include as many of each type of page in the workflow as you want, in any order. Each connection data graph page contains a single graph, which can be a line graph, bar graph, or pie chart. On line and bar graphs, you may include more than one dataset.

You must have Admin privileges to create a custom workflow based on connection data.

Procedure


Step 1

Choose Analysis > Advanced > Custom Workflows.

Step 2

Click Create Custom Workflow.

Step 3

Enter a name for the workflow in the Name field.

Step 4

Optionally, enter a Description.

Step 5

From the Table drop-down list, choose Connection Events.

Step 6

If you want to add one or more drill-down pages to the workflow, you have two options:

  • Click Add Page to add a drill-down page that contains data on individual connections,

  • Click Add Summary Page to add a drill-down page that contains connection summary data.

Step 7

Enter a name for the page in the Page Name field.

Step 8

Under Column 1, choose a sort priority and a table column. This column will appear in the leftmost column of the page.

Step 9

Continue choosing fields to include and setting their sort priority until you have specified all the fields you want to appear on the page.

Example:

For example, to create a page showing the amount of traffic transmitted over your monitored network and to sort the page by the responders that transmitted the most traffic, choose 1 from the Sort Priority drop-down list and Responder Bytes from the Field drop-down list.

Step 10

If you want to add one or more graph pages to the workflow, click Add Graph.

Step 11

Enter a name for the page in the Graph Name field.

Step 12

Choose the type of graph you want to include on the page:

  • line graph (Line chart (line chart icon))
  • bar graph(Bar chart (bar chart icon))
  • pie chart (Pie chart (pie chart icon))

Step 13

Specify what kind of data you want to graph by choosing the x- and y-axes of the graph.

On a pie chart, the x-axis represents the independent variable and the y-axis represents the dependent variable.

Step 14

Choose the datasets you want to include on the graph.

Note that pie charts can include only one data set.

Step 15

If you want to add a table view of connection data, click Add Table View.

Table views are not configurable.

Step 16

Click Save.


Custom Workflow Use and Management

The method you use to view a workflow depends on whether the workflow is based on one of the predefined event tables or on a custom table.

If your custom workflow is based on a predefined event table, access it in the same way that you would access a workflow that ships with the appliance. For example, to access a custom workflow based on the Hosts table, choose Analysis > Hosts > Hosts. If, on the other hand, your custom workflow is based on a custom table, you must access it from the Custom Tables page.

If your event evaluation process changes, you can edit custom workflows to meet your new needs. Note that you cannot edit any of the predefined workflows.


Tip


You can set a custom workflow as the default workflow for any event type.


Viewing Custom Workflows Based on Predefined Tables

You must have Admin, Maintenance, or Security Analyst privileges to view a custom workflow.

Procedure


Step 1

Choose the appropriate menu path and option for the table on which you based your custom workflow, as described in the Workflow Selection.

Step 2

To use a different workflow, including a custom workflow, click (switch workflow) next to the current workflow title.

Step 3

If no events appear and the workflow can be constrained by time, you may need to adjust the time range; see Event Time Constraints.


Viewing Custom Workflows Based on Custom Tables

You must have Admin or Security Analyst privileges to view a custom workflow that is based on custom tables.

In a multidomain deployment, the system displays custom workflows created in the current domain, which you can edit. It also displays custom workflows created in ancestor domains, which you cannot edit. To view and edit custom workflows in a lower domain, switch to that domain.

Procedure


Step 1

Choose Analysis > Advanced > Custom Tables.

Step 2

Click View (View button) next to the custom table you want to view, or click the name of the custom table.

Step 3

To use a different workflow, including a custom workflow, click (switch workflow) beside the current workflow title.

Step 4

If no events appear and the workflow can be constrained by time, you may need to adjust the time range; see Event Time Constraints.


Editing Custom Workflows

You must have Admin or Security Analyst privileges to edit a custom workflow.

In a multidomain deployment, the system displays custom workflows created in the current domain, which you can edit. It also displays custom workflows created in ancestor domains, which you cannot edit. To view and edit custom workflows in a lower domain, switch to that domain.

Procedure


Step 1

Choose Analysis > Advanced > Custom Workflows.

Step 2

Click Edit (edit icon) next to the name of the workflow that you want to edit.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

Make any changes that you want to the workflow.

Step 4

Click Save.