User Guide for Cisco Security MARS Local Controller, Release 4.2.x - Index [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Numerics - A - B - C - D - E - F - H - I - L - M - N - P - Q - R - S - T - U - V -

Index

Numerics

802.1x, logging in Cisco Secure ACS 15-5

A

AAA devices 15-1

Action 20-3

Activate button 14-1, 21-18, 21-19, 21-21, 21-23

activating reporting devices 2-27

what it does 2-27

when to use 2-27

adding

cell phone number 14-11, 22-11

CSV file 2-20

devices 2-18

manually 2-18

seed file 2-20

drop rules 21-22

event groups 14-3

inspection rules 21-19

pager number 14-11, 22-11

seed file 2-20

service 14-8

user 14-9, 22-10

user group 14-12

adding IP groups 14-4

adding service provider 14-11, 22-11

admin roles, see user management 14-9

Adobe SVG 19-10

alert

action 21-15

Distributed Threat Management 21-15

Email 21-15

NONE 21-15

Page 21-15

SMS 21-15

SNMP 21-15

Syslog 21-15

alerts 22-1

anomaly detection, see NetFlow 2-31

archive server

retrieving raw messages 23-3

attack diagram 19-9

attack paths

L2 20-5

L3 20-5

audit trail 23-3

B

boostrap

devices 1-5

C

cell phone paging 14-11, 22-11

certificate

monitor status 23-10

upgrading from expired or fingerprint 23-10

changing

drop rule status 21-21

inspection rule status 21-17

Cisco Adaptive Security Appliance, see CiscoASA 4-1

Cisco ASA

add to MARS 4-8

bootstrapping 4-2

security context

add discovered 4-12

define reporting options for 4-13

make MARS aware of 4-11

Cisco Firewall Services Modules, see Cisco FWSM 4-1

Cisco FWSM

add to MARS 4-8

bootstrapping 4-2

security context

add discovered 4-12

define reporting options for 4-13

make MARS aware of 4-11

Cisco Secure ACS, 802.1x feature support 15-5

Cisco Secure ACS, 802.1x support 15-1

Cisco Secure ACS, audit logs required by MARS 15-3

Cisco Secure ACS, bootstrap 15-3

Cisco Secure ACS, event logs studied by MARS 15-1

Cisco Secure ACS, MARS agent 15-7

Cisco Secure ACS, NAC support 15-1

Cisco Secure ACS, representing in MARS 15-12

Cisco Secure ACS, sever support 15-2

Cisco Secure ACS, solution engine support 15-2

Cisco Secure ACS, supported versions 15-1

Cisco Secure ACS, TACACS+ command authorization 15-7

Collapse All 20-5

columns

seed file 2-22

Common Vulneratbilities and Exposures 14-2

community strings 2-37

configuration

NetFlow 2-30

CSV files 2-20

custom log parser

selecting traffic type 16-14

CVE 14-2

D

data reduction 19-9

default certificate response

change 23-10

default fingerprint response

change 23-10

default password

change 23-8

deleting service 14-8

device,re-add 2-19

devices

bootstrap overview 1-5

define

overview 1-6, 17-10

deleting 2-19

deleting all displayed 2-20

edit 2-18

diagrams

attack 19-9

discovering networks

automatic 2-39

discovery

scheduling 2-39

updating 2-39

distributed threat mitigation, taskflow order 1-7

drop rule

activate and inactive 21-21

drop rules

adding 21-22

editing 21-22

drop rule status

changing 21-21

DTM, See distributed threat mitigation. 1-7

dynamic information 20-10

dynamic vulnerability scanning 2-29

E

editing

drop rules 21-22

host information 14-6

inspection rules 21-18

IP groups 14-4

service 14-8

user 14-12

error messages, list of 15-14

event groups 14-3

event log

changing pulling time interval for Windows 10-11

event management 14-1

editing 14-2

Event Type 20-3

Expand All 20-5

expired certificate 23-10

F

false positive

system determined 20-8

unconfirmed 20-8

user confirmed

false positive 20-8

positive 20-8

false positives

tuning 20-5

fingerprint validation 23-8

H

hardware maintenance

MARS 100, 100E, 200, GCM, GC 23-12

hosts

adding 14-5

editing 14-6

Hot Spot Graph 19-9

I

Incident Details page 20-4

Incident ID 20-3

Incident Path 20-3

incidents 19-8

action 20-3

event type 20-3

incident ID 20-3

incident path 20-3

incident vector 20-3

instances 20-6

matched rule 20-3

severity 20-3

time 20-3

time ranges 20-4

incidents table

navigation 20-3

incident table 20-5

Incident Vector 20-3

inspection rule

activate and inactive 21-17

inspection rules

adding 21-19

editing 21-18

inspection rule status

changing 21-17

instances

incidents 20-6

IP groups

adding 14-4

editing 14-4

IP management 14-3

adding

hosts 14-5

IP range 14-4

network 14-4

variable 14-4

L

L2 attack path 20-5

L3 attack path 20-5

Linux host, bootstrap 10-2

loading

MARS

seed file 2-24

log files 23-2

M

management

events 14-1

IP 14-3

service 14-7

user 14-8

MARS

audit trail 23-3

log files 23-2

Matched Rule 20-3

Microsoft Windows host, bootstrap 10-4

mitigate 20-5

mitigation policy

suggested content 1-1

monitoring policy

suggested content 1-1

N

NAC, AAA server support 15-1

NetFllow, enable processing 2-34

NetFlow 2-30

configuration 2-30

Global NetFlow UPD Port 2-35

NetFlow, bootstrap reporting devices 2-32

NetFlow,enable processing 2-35

NetFlow,examined networks 2-35

NetFlow,how it is used 2-31, 2-32

NetFlow,performance tuning 2-35

NetFlow,supported versions 2-31

Network Status tab

Incidents 19-12

Top Destinations 19-13

Top Event Types 19-12

Top Sources 19-13

P

pager 14-11, 22-11

password

change default 23-8

PIX

add to MARS 4-8

bootstrapping 4-2

security context

add discovered 4-12

define reporting options for 4-13

make MARS aware of 4-11

PIX Security Appliance, see PIX 4-1

PN Log agent 15-7

PN Log Agent, error messages 15-10

PN MARS

seed file columns 2-22

public networks 2-38

Q

queries

operation

AND 21-13

FOLLOWED-BY 21-13

none 21-13

OR 21-13

query

reporting device ranking 2-27

R

raw messages

retrieve from local controller database 23-5

retrieving from archive server 23-3

remediation policy

suggested content 1-2

removing

user 14-12

rules

destination IP

ANY 21-8

devices 21-8

DISTINCT 21-8

IP addresses 21-8

IP ranges 21-8

Network Groups 21-8

networks 21-8

SAME 21-8

variables 21-8

device 21-11

ANY 21-11

Unknown Reporting Device 21-11

variables 21-11

event type grouping 21-10

event types 21-10

ANY 21-10

variables 21-10

reported user

ANY 21-11

Invalid User Name 21-11

NONE 21-11

variables 21-11

service

ANY 21-9

defined groups 21-10

defined services 21-10

service variables 21-9

severity

ANY 21-12

green 21-12

red 21-12

yellow 21-12

source IP

devices 21-7

IP addresses 21-7

IP ranges 21-7

Network Groups 21-7

networks 21-7

variables 21-7

runtime logging 23-1

S

scheduling

discovery 2-39

security contexts

add discovered 4-12

define reporting options 4-13

make MARS aware of 4-11

security policies

objectives of 1-1

security policy

suggested content 1-1

see CVE 14-2

seed file

CSV file 2-20

loading 2-24

service

adding 14-8

deleting 14-8

editing 14-8

editing groups 14-7

service group

adding 14-7

service management 14-7

service provider

adding 14-11, 22-11

services

adding group 14-7

setting

runtime logging levels 23-1

Severity icons 20-3

Short Message Service

See SMS. 21-15

Simple Network Management Protocol

See SNMP. 21-15

SNMP RO, unsupported characters 2-9, 2-22, 2-29

Solaris host, bootstrap 10-2

SSH

fingerprint validation 23-8

SSL

certificate validation 23-8

stacked charts 19-13

static information 20-10

system determined false positive type 20-8

T

table

incidents 20-5

Time 20-3

time ranges

incidents 20-4

Topology

toggle device display 19-12

traffic flows

identify and enable 1-4, 17-8

troubleshoot

error messages 15-14

troubleshoot,cannot add device 2-19

troubleshoot,cannot re-add device 2-19

troubleshooting

CiscoSecure ACS integration 15-13

tuning

false positives 20-5, 20-9

U

unconfirmed false positive type 20-8

user

adding 14-9, 22-10

editing 14-12

removing 14-12

user confirmed false positive type 20-8

user confirmed positive type 20-8

user group

adding 14-12

user management 14-8

roles defined 14-9

V

validation

fingerprint 23-8

valid networks 2-38

variables 21-7, 21-8

	User Guide for Cisco Security MARS Local Controller, Release 4.2.x
	Index
User Guide for Cisco Security MARS Local Controller, Release 4.2.x Preface STM Task Flow Overview Reporting and Mitigation Devices Overview Configuring Router and Switch Devices Configuring Firewall Devices Configuring VPN Devices Configuring Network-based IDS and IPS Devices Configuring Host-Based IDS and IPS Devices Configuring Antivirus Devices Configuring Vulnerability Assessment Devices Configuring Generic, Solaris, Linux, and Windows Application Hosts Configuring Database Applications Configuring Web Server Devices Configuring Web Proxy Devices Configuring AAA Devices Configuring Custom Devices Policy Table Lookup on Cisco Security Manager Network Summary Case Management Incident Investigation and Mitigation Queries and Reports Rules Sending Alerts Management Tab Overview System Maintenance Cisco Security MARS XML API Reference Regular Expression Reference Date/Time Format Specfication System Rules and Reports Glossary Index	Download this chapter Index Download the complete book uglc42x.pdf (PDF - 7 MB) Table Of Contents Numerics - A - B - C - D - E - F - H - I - L - M - N - P - Q - R - S - T - U - V - Index Numerics 802.1x, logging in Cisco Secure ACS 15-5 A AAA devices 15-1 Action 20-3 Activate button 14-1, 21-18, 21-19, 21-21, 21-23 activating reporting devices 2-27 what it does 2-27 when to use 2-27 adding cell phone number 14-11, 22-11 CSV file 2-20 devices 2-18 manually 2-18 seed file 2-20 drop rules 21-22 event groups 14-3 inspection rules 21-19 pager number 14-11, 22-11 seed file 2-20 service 14-8 user 14-9, 22-10 user group 14-12 adding IP groups 14-4 adding service provider 14-11, 22-11 admin roles, see user management 14-9 Adobe SVG 19-10 alert action 21-15 Distributed Threat Management 21-15 Email 21-15 NONE 21-15 Page 21-15 SMS 21-15 SNMP 21-15 Syslog 21-15 alerts 22-1 anomaly detection, see NetFlow 2-31 archive server retrieving raw messages 23-3 attack diagram 19-9 attack paths L2 20-5 L3 20-5 audit trail 23-3 B boostrap devices 1-5 C cell phone paging 14-11, 22-11 certificate monitor status 23-10 upgrading from expired or fingerprint 23-10 changing drop rule status 21-21 inspection rule status 21-17 Cisco Adaptive Security Appliance, see CiscoASA 4-1 Cisco ASA add to MARS 4-8 bootstrapping 4-2 security context add discovered 4-12 define reporting options for 4-13 make MARS aware of 4-11 Cisco Firewall Services Modules, see Cisco FWSM 4-1 Cisco FWSM add to MARS 4-8 bootstrapping 4-2 security context add discovered 4-12 define reporting options for 4-13 make MARS aware of 4-11 Cisco Secure ACS, 802.1x feature support 15-5 Cisco Secure ACS, 802.1x support 15-1 Cisco Secure ACS, audit logs required by MARS 15-3 Cisco Secure ACS, bootstrap 15-3 Cisco Secure ACS, event logs studied by MARS 15-1 Cisco Secure ACS, MARS agent 15-7 Cisco Secure ACS, NAC support 15-1 Cisco Secure ACS, representing in MARS 15-12 Cisco Secure ACS, sever support 15-2 Cisco Secure ACS, solution engine support 15-2 Cisco Secure ACS, supported versions 15-1 Cisco Secure ACS, TACACS+ command authorization 15-7 Collapse All 20-5 columns seed file 2-22 Common Vulneratbilities and Exposures 14-2 community strings 2-37 configuration NetFlow 2-30 CSV files 2-20 custom log parser selecting traffic type 16-14 CVE 14-2 D data reduction 19-9 default certificate response change 23-10 default fingerprint response change 23-10 default password change 23-8 deleting service 14-8 device,re-add 2-19 devices bootstrap overview 1-5 define overview 1-6, 17-10 deleting 2-19 deleting all displayed 2-20 edit 2-18 diagrams attack 19-9 discovering networks automatic 2-39 discovery scheduling 2-39 updating 2-39 distributed threat mitigation, taskflow order 1-7 drop rule activate and inactive 21-21 drop rules adding 21-22 editing 21-22 drop rule status changing 21-21 DTM, See distributed threat mitigation. 1-7 dynamic information 20-10 dynamic vulnerability scanning 2-29 E editing drop rules 21-22 host information 14-6 inspection rules 21-18 IP groups 14-4 service 14-8 user 14-12 error messages, list of 15-14 event groups 14-3 event log changing pulling time interval for Windows 10-11 event management 14-1 editing 14-2 Event Type 20-3 Expand All 20-5 expired certificate 23-10 F false positive system determined 20-8 unconfirmed 20-8 user confirmed false positive 20-8 positive 20-8 false positives tuning 20-5 fingerprint validation 23-8 H hardware maintenance MARS 100, 100E, 200, GCM, GC 23-12 hosts adding 14-5 editing 14-6 Hot Spot Graph 19-9 I Incident Details page 20-4 Incident ID 20-3 Incident Path 20-3 incidents 19-8 action 20-3 event type 20-3 incident ID 20-3 incident path 20-3 incident vector 20-3 instances 20-6 matched rule 20-3 severity 20-3 time 20-3 time ranges 20-4 incidents table navigation 20-3 incident table 20-5 Incident Vector 20-3 inspection rule activate and inactive 21-17 inspection rules adding 21-19 editing 21-18 inspection rule status changing 21-17 instances incidents 20-6 IP groups adding 14-4 editing 14-4 IP management 14-3 adding hosts 14-5 IP range 14-4 network 14-4 variable 14-4 L L2 attack path 20-5 L3 attack path 20-5 Linux host, bootstrap 10-2 loading MARS seed file 2-24 log files 23-2 M management events 14-1 IP 14-3 service 14-7 user 14-8 MARS audit trail 23-3 log files 23-2 Matched Rule 20-3 Microsoft Windows host, bootstrap 10-4 mitigate 20-5 mitigation policy suggested content 1-1 monitoring policy suggested content 1-1 N NAC, AAA server support 15-1 NetFllow, enable processing 2-34 NetFlow 2-30 configuration 2-30 Global NetFlow UPD Port 2-35 NetFlow, bootstrap reporting devices 2-32 NetFlow,enable processing 2-35 NetFlow,examined networks 2-35 NetFlow,how it is used 2-31, 2-32 NetFlow,performance tuning 2-35 NetFlow,supported versions 2-31 Network Status tab Incidents 19-12 Top Destinations 19-13 Top Event Types 19-12 Top Sources 19-13 P pager 14-11, 22-11 password change default 23-8 PIX add to MARS 4-8 bootstrapping 4-2 security context add discovered 4-12 define reporting options for 4-13 make MARS aware of 4-11 PIX Security Appliance, see PIX 4-1 PN Log agent 15-7 PN Log Agent, error messages 15-10 PN MARS seed file columns 2-22 public networks 2-38 Q queries operation AND 21-13 FOLLOWED-BY 21-13 none 21-13 OR 21-13 query reporting device ranking 2-27 R raw messages retrieve from local controller database 23-5 retrieving from archive server 23-3 remediation policy suggested content 1-2 removing user 14-12 rules destination IP ANY 21-8 devices 21-8 DISTINCT 21-8 IP addresses 21-8 IP ranges 21-8 Network Groups 21-8 networks 21-8 SAME 21-8 variables 21-8 device 21-11 ANY 21-11 Unknown Reporting Device 21-11 variables 21-11 event type grouping 21-10 event types 21-10 ANY 21-10 variables 21-10 reported user ANY 21-11 Invalid User Name 21-11 NONE 21-11 variables 21-11 service ANY 21-9 defined groups 21-10 defined services 21-10 service variables 21-9 severity ANY 21-12 green 21-12 red 21-12 yellow 21-12 source IP devices 21-7 IP addresses 21-7 IP ranges 21-7 Network Groups 21-7 networks 21-7 variables 21-7 runtime logging 23-1 S scheduling discovery 2-39 security contexts add discovered 4-12 define reporting options 4-13 make MARS aware of 4-11 security policies objectives of 1-1 security policy suggested content 1-1 see CVE 14-2 seed file CSV file 2-20 loading 2-24 service adding 14-8 deleting 14-8 editing 14-8 editing groups 14-7 service group adding 14-7 service management 14-7 service provider adding 14-11, 22-11 services adding group 14-7 setting runtime logging levels 23-1 Severity icons 20-3 Short Message Service See SMS. 21-15 Simple Network Management Protocol See SNMP. 21-15 SNMP RO, unsupported characters 2-9, 2-22, 2-29 Solaris host, bootstrap 10-2 SSH fingerprint validation 23-8 SSL certificate validation 23-8 stacked charts 19-13 static information 20-10 system determined false positive type 20-8 T table incidents 20-5 Time 20-3 time ranges incidents 20-4 Topology toggle device display 19-12 traffic flows identify and enable 1-4, 17-8 troubleshoot error messages 15-14 troubleshoot,cannot add device 2-19 troubleshoot,cannot re-add device 2-19 troubleshooting CiscoSecure ACS integration 15-13 tuning false positives 20-5, 20-9 U unconfirmed false positive type 20-8 user adding 14-9, 22-10 editing 14-12 removing 14-12 user confirmed false positive type 20-8 user confirmed positive type 20-8 user group adding 14-12 user management 14-8 roles defined 14-9 V validation fingerprint 23-8 valid networks 2-38 variables 21-7, 21-8
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.