Activities
The Activities page displays activity data from your environment using the Industry Standard Open Cybersecurity Schema Framework (OCSF), version 1.4. For details, see Open Cybersecurity Schema Framework. The normalized data are analyzed by Cisco XDR to generate Cisco XDR detections; these detections are then analyzed by the detection engine and may be correlated into incidents. For more information on detections, see Detections.
Note: The activities data is from Cisco XDR native sources only and it does not include integrated third-party products.
The network activities table currently supports only network activities from your Cisco Secure Client Network Visibility Module (NVM) if the XDR Default Deployment is installed on your endpoints. For more information on NVM, see Network Visibility Module in Cisco XDR and for details on the XDR Default Deployment, see Deployments.
Note: The Network Visibility Module captures network conversations as bidirectional flows and the network activities table displays unidirectional flows only. As a result, the table may show the same conversation in two rows, one for each direction.
Choose Investigate > Activities in the navigation menu to view network activities from your endpoints.
Network Activities Table Column Descriptions
|
Column Name |
Description |
|---|---|
|
Start time |
Date and time the current activity's observation period began according to the activity source. |
|
Activity type |
Type of activity captured by the activity source. For example, Network Activity. |
|
Activity source |
Name of the source product that recorded the activity. For example, Cisco NVM. |
|
Source IP |
The IP address of the host sending the communication, relative to your location (Internal or External). The country flag next to the IP address reflects the geographical location of the endpoint and it is displayed for external IP addresses only. Click the |
|
Source port |
Port number used by the activity source to initiate the communication. |
|
Destination IP |
The IP address of the host receiving the communication, relative to your location (Internal or External). The country flag next to the IP address reflects the geographical location of the endpoint and it is displayed for external IP addresses only. Click the |
|
Destination port |
Port number where the host received the communication. |
|
Protocol |
Identifier of the protocol used in the flow communication. |
|
Bytes out |
Total amount of data sent from the source to the destination during this activity, in bytes. If the activity is a segment of a longer conversation, the aggregate values are displayed as Cumulative bytes out in the activity details drawer. Note: The Network Visibility Module receives network activities as bidirectional flows and displays it in the network activities as separate unidirectional rows. As a result, traffic is always displayed as outbound and there is no Bytes in value. The data sent from destination to the source is displayed as outbound data in the Bytes out column. |
|
Community ID |
A standardized flow identifier for a network flow that is generated from details, such as IP addresses and ports, to ensure that the same network conversation is recognized consistently across supported network sources. For more information, see Community ID Flow Hashing. Note: This is an optional column that is only available in the Table Settings drawer. For details, see Customize Columns. |
(Pivot Menu) icon next to the IP address to take action on it. You can perform some actions directly in the Filter Activities
The activities that are displayed in the list are those that have been observed by the activity source during the specified date and time. By default, the list includes activities that were first observed within the last 24 hours. You can narrow the display of activities based on a specific timeframe using the time range drop-down list.
-
Last hour - Displays the activities observed within the last 1 hour that match the filter criteria.
-
Last 24 hours - Displays the activities observed within the last 24 hours that match the filter criteria.
-
Last 7 days - Displays the activities that started within the last 7 days that match the filter criteria.
-
Custom range - Uses the Start time to search for activities between the selected start and end date and time that match the filter criteria.
Note: The maximum time range is 7 days. If you select a range longer than 7 days, only the first 7 days of data will be returned. You must adjust the time range to view additional results.
In addition to the time range, you can filter the display of activities based on source, transport protocol, source hostname, source IP address, source port, destination hostname, destination IP address, destination port, or community ID using the Filters drawer by clicking the 
(Filters) icon above the list of network activities. Click Apply to save your filter options. The activities list will refresh and only display activities that match the filter criteria.
Reorder and Customize Columns
You can reorder the columns in the table and select the columns displayed to customize the table for the data you want to view.
Reorder Columns
To reorder the table columns, click and drag a column header to the desired position in the table.
Customize Columns
Click the 
(Settings) icon to open the Table Settings drawer and check the check boxes next to the columns you want displayed in the network activities table and click Apply. The 
(Lock) icon indicates that the column is mandatory and it is always displayed in the network activities table. You can reorder the columns by clicking the 
View Activity Details in Drawer
Click an activity link to open the activity details drawer with more information on the activity, including endpoint, traffic and connection, and device details. Click Copy JSON to copy the activity displayed in JSON format.
