User Guide for Cisco Security MARS Local Controller, Release 4.2.x - Index [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Numerics - A - B - C - D - E - F - H - I - L - M - N - O - P - Q - R - S - T - U - V -

Index

Numerics

802.1x, logging in Cisco Secure ACS 15-5

A

AAA devices 15-1

Action 20-3

Activate button 14-1, 22-18, 22-19, 22-21, 22-23

activating reporting devices 2-27

what it does 2-27

when to use 2-27

adding

cell phone number 14-11, 23-11

CSV file 2-20

devices 2-18

manually 2-18

seed file 2-20

drop rules 22-22

event groups 14-3

inspection rules 22-19

pager number 14-11, 23-11

seed file 2-20

service 14-8

user 14-9, 23-10

user group 14-12

adding IP groups 14-4

adding service provider 14-11, 23-11

admin roles, see user management 14-9

Adobe SVG 19-10

alert

action 22-15

Distributed Threat Management 22-15

Email 22-15

NONE 22-15

Page 22-15

SMS 22-15

SNMP 22-15

Syslog 22-15

alerts 23-1

all matching event raw messages 21-7

all matching events 21-7

all matching sessions 21-7

anomaly detection, see NetFlow 2-31

archive server

retrieving raw messages 24-3

attack diagram 19-9

attack paths

L2 20-5

L3 20-5

audit trail 24-3

B

boostrap

devices 1-5

bytes transmitted 21-8

C

cell phone paging 14-11, 23-11

certificate

monitor status 24-10

upgrading from expired or fingerprint 24-10

changing

drop rule status 22-21

inspection rule status 22-17

Cisco Adaptive Security Appliance, see CiscoASA 4-1

Cisco ASA

add to MARS 4-8

bootstrapping 4-2

security context

add discovered 4-12

define reporting options for 4-13

make MARS aware of 4-11

Cisco Firewall Services Modules, see Cisco FWSM 4-1

Cisco FWSM

add to MARS 4-8

bootstrapping 4-2

security context

add discovered 4-12

define reporting options for 4-13

make MARS aware of 4-11

Cisco Secure ACS, 802.1x feature support 15-5

Cisco Secure ACS, 802.1x support 15-1

Cisco Secure ACS, audit logs required by MARS 15-3

Cisco Secure ACS, bootstrap 15-3

Cisco Secure ACS, event logs studied by MARS 15-1

Cisco Secure ACS, MARS agent 15-7

Cisco Secure ACS, NAC support 15-1

Cisco Secure ACS, representing in MARS 15-12

Cisco Secure ACS, sever support 15-2

Cisco Secure ACS, solution engine support 15-2

Cisco Secure ACS, supported versions 15-1

Cisco Secure ACS, TACACS+ command authorization 15-7

Collapse All 20-5

columns

seed file 2-22

Common Vulneratbilities and Exposures 14-2

community strings 2-37

configuration

NetFlow 2-30

creating

report 21-24

CSV files 2-20

custom log parser

selecting traffic type 16-14

CVE 14-2

D

data reduction 19-9

default certificate response

change 24-10

default fingerprint response

change 24-10

default password

change 24-8

deleting service 14-8

destination IP address ranking 21-6

destination network group ranking 21-6

destination network ranking 21-6

destination ranking 21-6

device,re-add 2-19

devices

bootstrap overview 1-5

define

overview 1-6, 17-10

deleting 2-19

deleting all displayed 2-20

edit 2-18

diagrams

attack 19-9

discovering networks

automatic 2-39

discovery

scheduling 2-39

updating 2-39

display format

query 21-5

distributed threat mitigation, taskflow order 1-7

drop rule

activate and inactive 22-21

drop rules

adding 22-22

editing 22-22

drop rule status

changing 22-21

DTM, See distributed threat mitigation. 1-7

dynamic information 20-10

dynamic vulnerability scanning 2-29

E

editing

drop rules 22-22

host information 14-6

inspection rules 22-18

IP groups 14-4

service 14-8

user 14-12

error messages, list of 15-14

event groups 14-3

event log

changing pulling time interval for Windows 10-11

event management 14-1

editing 14-2

Event Type 20-3

event type group ranking 21-6

event type ranking 21-5

Expand All 20-5

expired certificate 24-10

F

false positive

system determined 20-8

unconfirmed 20-8

user confirmed

false positive 20-8

positive 20-8

false positives

tuning 20-5

fingerprint validation 24-8

H

hardware maintenance

MARS 100, 100E, 200, GCM, GC 24-12

hosts

adding 14-5

editing 14-6

Hot Spot Graph 19-9

I

incident count 21-8

Incident Details page 20-4

Incident ID 20-3

Incident Path 20-3

incidents 19-8

action 20-3

event type 20-3

incident ID 20-3

incident path 20-3

incident vector 20-3

instances 20-6

matched rule 20-3

severity 20-3

time 20-3

time ranges 20-4

incidents table

navigation 20-3

incident table 20-5

Incident Vector 20-3

inspection rule

activate and inactive 22-17

inspection rules

adding 22-19

editing 22-18

inspection rule status

changing 22-17

instances

incidents 20-6

IP groups

adding 14-4

editing 14-4

IP management 14-3

adding

hosts 14-5

IP range 14-4

network 14-4

variable 14-4

L

L2 attack path 20-5

L3 attack path 20-5

Linux host, bootstrap 10-2

loading

MARS

seed file 2-24

log files 24-2

M

MAC address report 21-7

management

events 14-1

IP 14-3

service 14-7

user 14-8

MARS

audit trail 24-3

log files 24-2

matched incident ranking 21-7

Matched Rule 20-3

matched rule ranking 21-7

Microsoft Windows host, bootstrap 10-4

mitigate 20-5

mitigation policy

suggested content 1-1

monitoring policy

suggested content 1-1

N

NAC, AAA server support 15-1

NAT connection report 21-7

NetFllow, enable processing 2-34

NetFlow 2-30

configuration 2-30

Global NetFlow UPD Port 2-35

NetFlow, bootstrap reporting devices 2-32

NetFlow,enable processing 2-35

NetFlow,examined networks 2-35

NetFlow,how it is used 2-31, 2-32

NetFlow,performance tuning 2-35

NetFlow,supported versions 2-31

network group ranking 21-6

network ranking 21-6

Network Status tab

Incidents 19-12

Top Destinations 19-13

Top Event Types 19-12

Top Sources 19-13

O

Order/Rank By 21-7

order by 21-7

bytes transmitted 21-8

incident count 21-8

session count 21-7

time 21-8

P

pager 14-11, 23-11

password

change default 24-8

PIX

add to MARS 4-8

bootstrapping 4-2

security context

add discovered 4-12

define reporting options for 4-13

make MARS aware of 4-11

PIX Security Appliance, see PIX 4-1

PN Log agent 15-7

PN Log Agent, error messages 15-10

PN MARS

seed file columns 2-22

post NAT destination addresses 21-11

post NAT source addresses 21-10

pre NAT destination addresses 21-11

pre NAT source addresses 21-10

protocol ranking 21-6

public networks 2-38

Q

queries

action

ANY 21-12

actions 21-12

destination IP 21-11

ANY 21-11

devices 21-11

IP addresses 21-11

IP ranges 21-11

networks 21-11

post NAT destination addresses 21-11

pre NAT destination addresses 21-11

devices 21-11

display format

all matching event raw messages 21-7

all matching events 21-7

all matching sessions 21-7

destination IP address ranking 21-6

destination ranking 21-6

event type group ranking 21-6

MAC address report 21-7

matched incident ranking 21-7

matched rule ranking 21-7

NAT connection report 21-7

protocol ranking 21-6

reporting device ranking 21-7

reporting device type ranking 21-7

source IP address ranking 21-6

source port ranking 21-6

unknown event report 21-7

use only firing events 21-8

event type grouping 21-11

event types 21-11

ANY 21-11

operation

AND 21-12, 22-13

FOLLOWED-BY 21-12, 22-13

none 21-12, 22-13

OR 21-12, 22-13

result format

destination network group ranking 21-6

destination network ranking 21-6

event type ranking 21-5

network group ranking 21-6

network ranking 21-6

reported user ranking 21-7

source network group ranking 21-6

source network ranking 21-6

rule 21-12

ANY 21-12

save as

reports 21-13

rules 21-13

service

ANY 21-11

defined services 21-11

service variables 21-11

severity

ANY 21-12

green 21-12

red 21-12

yellow 21-12

source IP

ANY 21-10

devices 21-10

IP addresses 21-10

IP ranges 21-10

networks 21-10

post NAT source addresses 21-10

pre NAT source addresses 21-10

variables 21-10

time range

last 21-8

start and end times 21-8

zone 21-12

query

display format 21-5

reporting device ranking 2-27

Query page 21-1

R

rank by 21-7

bytes transmitted 21-8

incident count 21-8

session count 21-7

time 21-8

raw messages

retrieve from local controller database 24-5

retrieving from archive server 24-3

remediation policy

suggested content 1-2

removing

user 14-12

report

adding 21-24

delete 21-25

edit 21-26

new 21-24

reported user ranking 21-7

reporting device ranking 21-7

reporting device type ranking 21-7

reports

viewing 21-19, 21-25

reports, view type, CSV 21-24

reports, view type, recent 21-24

reports,view type, total 21-24

reports, view types 21-23

report views, CSV 21-24

report views, peak, reports, view type, peak 21-24

report views, recent 21-24

report views, total 21-24

rules

destination IP

ANY 22-8

devices 22-8

DISTINCT 22-8

IP addresses 22-8

IP ranges 22-8

Network Groups 22-8

networks 22-8

SAME 22-8

variables 22-8

device 22-11

ANY 22-11

Unknown Reporting Device 22-11

variables 22-11

event type grouping 22-10

event types 22-10

ANY 22-10

variables 22-10

reported user

ANY 22-11

Invalid User Name 22-11

NONE 22-11

variables 22-11

service

ANY 22-9

defined groups 22-10

defined services 22-10

service variables 22-9

severity

ANY 22-12

green 22-12

red 22-12

yellow 22-12

source IP

devices 22-7

IP addresses 22-7

IP ranges 22-7

Network Groups 22-7

networks 22-7

variables 22-7

runtime logging 24-1

S

scheduling

discovery 2-39

security contexts

add discovered 4-12

define reporting options 4-13

make MARS aware of 4-11

security policies

objectives of 1-1

security policy

suggested content 1-1

see CVE 14-2

seed file

CSV file 2-20

loading 2-24

service

adding 14-8

deleting 14-8

editing 14-8

editing groups 14-7

service group

adding 14-7

service management 14-7

service provider

adding 14-11, 23-11

services

adding group 14-7

session count 21-7

setting

runtime logging levels 24-1

Severity icons 20-3

Short Message Service

See SMS. 22-15

Simple Network Management Protocol

See SNMP. 22-15

SNMP RO, unsupported characters 2-9, 2-22, 2-29

Solaris host, bootstrap 10-2

source IP address ranking 21-6

source network group ranking 21-6

source network ranking 21-6

source port ranking 21-6

SSH

fingerprint validation 24-8

SSL

certificate validation 24-8

stacked charts 19-13

static information 20-10

system determined false positive type 20-8

T

table

incidents 20-5

Time 20-3

time ranges

incidents 20-4

Topology

toggle device display 19-12

traffic flows

identify and enable 1-4, 17-8

troubleshoot

error messages 15-14

troubleshoot,cannot add device 2-19

troubleshoot,cannot re-add device 2-19

troubleshooting

CiscoSecure ACS integration 15-13

tuning

false positives 20-5, 20-9

U

unconfirmed false positive type 20-8

unknown event report 21-7

use only firing events 21-8

user

adding 14-9, 23-10

editing 14-12

removing 14-12

user confirmed false positive type 20-8

user confirmed positive type 20-8

user group

adding 14-12

user management 14-8

roles defined 14-9

V

validation

fingerprint 24-8

valid networks 2-38

variables 21-10, 21-11, 22-7, 22-8

	User Guide for Cisco Security MARS Local Controller, Release 4.2.x
	Index
User Guide for Cisco Security MARS Local Controller, Release 4.2.x Preface STM Task Flow Overview Reporting and Mitigation Devices Overview Configuring Router and Switch Devices Configuring Firewall Devices Configuring VPN Devices Configuring Network-based IDS and IPS Devices Configuring Host-Based IDS and IPS Devices Configuring Antivirus Devices Configuring Vulnerability Assessment Devices Configuring Generic, Solaris, Linux, and Windows Application Hosts Configuring Database Applications Configuring Web Server Devices Configuring Web Proxy Devices Configuring AAA Devices Configuring Custom Devices Policy Table Lookup on Cisco Security Manager Network Summary Case Management Incident Investigation and Mitigation Queries and Reports Rules Sending Alerts Management Tab Overview System Maintenance Cisco Security MARS XML API Reference Regular Expression Reference Date/Time Format Specfication System Rules and Reports Glossary Index	Download this chapter Index Download the complete book uglc42x.pdf (PDF - 7 MB) Table Of Contents Numerics - A - B - C - D - E - F - H - I - L - M - N - O - P - Q - R - S - T - U - V - Index Numerics 802.1x, logging in Cisco Secure ACS 15-5 A AAA devices 15-1 Action 20-3 Activate button 14-1, 22-18, 22-19, 22-21, 22-23 activating reporting devices 2-27 what it does 2-27 when to use 2-27 adding cell phone number 14-11, 23-11 CSV file 2-20 devices 2-18 manually 2-18 seed file 2-20 drop rules 22-22 event groups 14-3 inspection rules 22-19 pager number 14-11, 23-11 seed file 2-20 service 14-8 user 14-9, 23-10 user group 14-12 adding IP groups 14-4 adding service provider 14-11, 23-11 admin roles, see user management 14-9 Adobe SVG 19-10 alert action 22-15 Distributed Threat Management 22-15 Email 22-15 NONE 22-15 Page 22-15 SMS 22-15 SNMP 22-15 Syslog 22-15 alerts 23-1 all matching event raw messages 21-7 all matching events 21-7 all matching sessions 21-7 anomaly detection, see NetFlow 2-31 archive server retrieving raw messages 24-3 attack diagram 19-9 attack paths L2 20-5 L3 20-5 audit trail 24-3 B boostrap devices 1-5 bytes transmitted 21-8 C cell phone paging 14-11, 23-11 certificate monitor status 24-10 upgrading from expired or fingerprint 24-10 changing drop rule status 22-21 inspection rule status 22-17 Cisco Adaptive Security Appliance, see CiscoASA 4-1 Cisco ASA add to MARS 4-8 bootstrapping 4-2 security context add discovered 4-12 define reporting options for 4-13 make MARS aware of 4-11 Cisco Firewall Services Modules, see Cisco FWSM 4-1 Cisco FWSM add to MARS 4-8 bootstrapping 4-2 security context add discovered 4-12 define reporting options for 4-13 make MARS aware of 4-11 Cisco Secure ACS, 802.1x feature support 15-5 Cisco Secure ACS, 802.1x support 15-1 Cisco Secure ACS, audit logs required by MARS 15-3 Cisco Secure ACS, bootstrap 15-3 Cisco Secure ACS, event logs studied by MARS 15-1 Cisco Secure ACS, MARS agent 15-7 Cisco Secure ACS, NAC support 15-1 Cisco Secure ACS, representing in MARS 15-12 Cisco Secure ACS, sever support 15-2 Cisco Secure ACS, solution engine support 15-2 Cisco Secure ACS, supported versions 15-1 Cisco Secure ACS, TACACS+ command authorization 15-7 Collapse All 20-5 columns seed file 2-22 Common Vulneratbilities and Exposures 14-2 community strings 2-37 configuration NetFlow 2-30 creating report 21-24 CSV files 2-20 custom log parser selecting traffic type 16-14 CVE 14-2 D data reduction 19-9 default certificate response change 24-10 default fingerprint response change 24-10 default password change 24-8 deleting service 14-8 destination IP address ranking 21-6 destination network group ranking 21-6 destination network ranking 21-6 destination ranking 21-6 device,re-add 2-19 devices bootstrap overview 1-5 define overview 1-6, 17-10 deleting 2-19 deleting all displayed 2-20 edit 2-18 diagrams attack 19-9 discovering networks automatic 2-39 discovery scheduling 2-39 updating 2-39 display format query 21-5 distributed threat mitigation, taskflow order 1-7 drop rule activate and inactive 22-21 drop rules adding 22-22 editing 22-22 drop rule status changing 22-21 DTM, See distributed threat mitigation. 1-7 dynamic information 20-10 dynamic vulnerability scanning 2-29 E editing drop rules 22-22 host information 14-6 inspection rules 22-18 IP groups 14-4 service 14-8 user 14-12 error messages, list of 15-14 event groups 14-3 event log changing pulling time interval for Windows 10-11 event management 14-1 editing 14-2 Event Type 20-3 event type group ranking 21-6 event type ranking 21-5 Expand All 20-5 expired certificate 24-10 F false positive system determined 20-8 unconfirmed 20-8 user confirmed false positive 20-8 positive 20-8 false positives tuning 20-5 fingerprint validation 24-8 H hardware maintenance MARS 100, 100E, 200, GCM, GC 24-12 hosts adding 14-5 editing 14-6 Hot Spot Graph 19-9 I incident count 21-8 Incident Details page 20-4 Incident ID 20-3 Incident Path 20-3 incidents 19-8 action 20-3 event type 20-3 incident ID 20-3 incident path 20-3 incident vector 20-3 instances 20-6 matched rule 20-3 severity 20-3 time 20-3 time ranges 20-4 incidents table navigation 20-3 incident table 20-5 Incident Vector 20-3 inspection rule activate and inactive 22-17 inspection rules adding 22-19 editing 22-18 inspection rule status changing 22-17 instances incidents 20-6 IP groups adding 14-4 editing 14-4 IP management 14-3 adding hosts 14-5 IP range 14-4 network 14-4 variable 14-4 L L2 attack path 20-5 L3 attack path 20-5 Linux host, bootstrap 10-2 loading MARS seed file 2-24 log files 24-2 M MAC address report 21-7 management events 14-1 IP 14-3 service 14-7 user 14-8 MARS audit trail 24-3 log files 24-2 matched incident ranking 21-7 Matched Rule 20-3 matched rule ranking 21-7 Microsoft Windows host, bootstrap 10-4 mitigate 20-5 mitigation policy suggested content 1-1 monitoring policy suggested content 1-1 N NAC, AAA server support 15-1 NAT connection report 21-7 NetFllow, enable processing 2-34 NetFlow 2-30 configuration 2-30 Global NetFlow UPD Port 2-35 NetFlow, bootstrap reporting devices 2-32 NetFlow,enable processing 2-35 NetFlow,examined networks 2-35 NetFlow,how it is used 2-31, 2-32 NetFlow,performance tuning 2-35 NetFlow,supported versions 2-31 network group ranking 21-6 network ranking 21-6 Network Status tab Incidents 19-12 Top Destinations 19-13 Top Event Types 19-12 Top Sources 19-13 O Order/Rank By 21-7 order by 21-7 bytes transmitted 21-8 incident count 21-8 session count 21-7 time 21-8 P pager 14-11, 23-11 password change default 24-8 PIX add to MARS 4-8 bootstrapping 4-2 security context add discovered 4-12 define reporting options for 4-13 make MARS aware of 4-11 PIX Security Appliance, see PIX 4-1 PN Log agent 15-7 PN Log Agent, error messages 15-10 PN MARS seed file columns 2-22 post NAT destination addresses 21-11 post NAT source addresses 21-10 pre NAT destination addresses 21-11 pre NAT source addresses 21-10 protocol ranking 21-6 public networks 2-38 Q queries action ANY 21-12 actions 21-12 destination IP 21-11 ANY 21-11 devices 21-11 IP addresses 21-11 IP ranges 21-11 networks 21-11 post NAT destination addresses 21-11 pre NAT destination addresses 21-11 devices 21-11 display format all matching event raw messages 21-7 all matching events 21-7 all matching sessions 21-7 destination IP address ranking 21-6 destination ranking 21-6 event type group ranking 21-6 MAC address report 21-7 matched incident ranking 21-7 matched rule ranking 21-7 NAT connection report 21-7 protocol ranking 21-6 reporting device ranking 21-7 reporting device type ranking 21-7 source IP address ranking 21-6 source port ranking 21-6 unknown event report 21-7 use only firing events 21-8 event type grouping 21-11 event types 21-11 ANY 21-11 operation AND 21-12, 22-13 FOLLOWED-BY 21-12, 22-13 none 21-12, 22-13 OR 21-12, 22-13 result format destination network group ranking 21-6 destination network ranking 21-6 event type ranking 21-5 network group ranking 21-6 network ranking 21-6 reported user ranking 21-7 source network group ranking 21-6 source network ranking 21-6 rule 21-12 ANY 21-12 save as reports 21-13 rules 21-13 service ANY 21-11 defined services 21-11 service variables 21-11 severity ANY 21-12 green 21-12 red 21-12 yellow 21-12 source IP ANY 21-10 devices 21-10 IP addresses 21-10 IP ranges 21-10 networks 21-10 post NAT source addresses 21-10 pre NAT source addresses 21-10 variables 21-10 time range last 21-8 start and end times 21-8 zone 21-12 query display format 21-5 reporting device ranking 2-27 Query page 21-1 R rank by 21-7 bytes transmitted 21-8 incident count 21-8 session count 21-7 time 21-8 raw messages retrieve from local controller database 24-5 retrieving from archive server 24-3 remediation policy suggested content 1-2 removing user 14-12 report adding 21-24 delete 21-25 edit 21-26 new 21-24 reported user ranking 21-7 reporting device ranking 21-7 reporting device type ranking 21-7 reports viewing 21-19, 21-25 reports, view type, CSV 21-24 reports, view type, recent 21-24 reports,view type, total 21-24 reports, view types 21-23 report views, CSV 21-24 report views, peak, reports, view type, peak 21-24 report views, recent 21-24 report views, total 21-24 rules destination IP ANY 22-8 devices 22-8 DISTINCT 22-8 IP addresses 22-8 IP ranges 22-8 Network Groups 22-8 networks 22-8 SAME 22-8 variables 22-8 device 22-11 ANY 22-11 Unknown Reporting Device 22-11 variables 22-11 event type grouping 22-10 event types 22-10 ANY 22-10 variables 22-10 reported user ANY 22-11 Invalid User Name 22-11 NONE 22-11 variables 22-11 service ANY 22-9 defined groups 22-10 defined services 22-10 service variables 22-9 severity ANY 22-12 green 22-12 red 22-12 yellow 22-12 source IP devices 22-7 IP addresses 22-7 IP ranges 22-7 Network Groups 22-7 networks 22-7 variables 22-7 runtime logging 24-1 S scheduling discovery 2-39 security contexts add discovered 4-12 define reporting options 4-13 make MARS aware of 4-11 security policies objectives of 1-1 security policy suggested content 1-1 see CVE 14-2 seed file CSV file 2-20 loading 2-24 service adding 14-8 deleting 14-8 editing 14-8 editing groups 14-7 service group adding 14-7 service management 14-7 service provider adding 14-11, 23-11 services adding group 14-7 session count 21-7 setting runtime logging levels 24-1 Severity icons 20-3 Short Message Service See SMS. 22-15 Simple Network Management Protocol See SNMP. 22-15 SNMP RO, unsupported characters 2-9, 2-22, 2-29 Solaris host, bootstrap 10-2 source IP address ranking 21-6 source network group ranking 21-6 source network ranking 21-6 source port ranking 21-6 SSH fingerprint validation 24-8 SSL certificate validation 24-8 stacked charts 19-13 static information 20-10 system determined false positive type 20-8 T table incidents 20-5 Time 20-3 time ranges incidents 20-4 Topology toggle device display 19-12 traffic flows identify and enable 1-4, 17-8 troubleshoot error messages 15-14 troubleshoot,cannot add device 2-19 troubleshoot,cannot re-add device 2-19 troubleshooting CiscoSecure ACS integration 15-13 tuning false positives 20-5, 20-9 U unconfirmed false positive type 20-8 unknown event report 21-7 use only firing events 21-8 user adding 14-9, 23-10 editing 14-12 removing 14-12 user confirmed false positive type 20-8 user confirmed positive type 20-8 user group adding 14-12 user management 14-8 roles defined 14-9 V validation fingerprint 24-8 valid networks 2-38 variables 21-10, 21-11, 22-7, 22-8
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks