-
User Guide for Cisco Security MARS Global Controller, Release 4.3.x
-
Preface
-
Introduction
-
Configuring the Global Controller
-
Authenticating MARS Accounts with External AAA Servers
-
Network Summary
-
Case Management
-
Incident Investigation and Mitigation
-
Queries and Reports
-
Rules
-
Sending Alerts and Incident Notifications
-
Management Tab Overview
-
System Maintenance
-
Cisco Security MARS XML API Reference
-
Regular Expression Reference
-
Date/Time Format Specfication
-
System Rules and Reports
-
Glossary
-
Index
-
Table Of Contents
A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V -
Index
A
AAA server
add 3-30
delete 3-37
servers supported 3-23
Accounts
expired
unlocking 3-26
ACS
configuring user names 3-30
Action 6-73
Activate button 8-129, 8-130, 8-132, 10-157
explanation 4-47
when multiple users are logged in 4-48
Activation Settings page 4-49
adding
cell phone number 9-153, 10-165
devices 2-20
manually 2-20
event groups 10-159
inspection rules 8-130
service 10-162
user group 10-166
adding IP groups 10-160
adding service provider 9-153, 10-165
admin roles, see user management 10-163
Adobe SVG 4-56
alert
action 8-126
Distributed Threat Management 8-126
Email 8-126
NONE 8-126
Page 8-126
SMS 8-126
SNMP 8-126
Syslog 8-126
alerts 9-143
all matching event raw messages 7-96
all matching events 7-96
all matching sessions 7-95
attack diagram 4-55
attack paths
L2 6-75
L3 6-75
audit trail 11-171
B
bytes transmitted 7-96
C
cell phone paging 9-153, 10-165
certificate
monitor status 11-174
upgrading from expired or fingerprint 11-174
changing
inspection rule status 8-128
Cisco Secure ACS
configuring user names 3-30
Collapse All 6-74
Common Vulneratbilities and Exposures 10-158
creating
report 7-110
CVE 10-158
D
data reduction 4-54
default certificate response
change 11-174
default fingerprint response
change 11-174
default password
change 11-172
deleting service 10-162
destination IP address ranking 7-95
destination network group ranking 7-95
destination network ranking 7-95
destination ranking 7-95
diagrams
attack 4-55
display format
query 7-94
E
editing
inspection rules 8-129
IP groups 10-160
service 10-162
user 10-166
event groups 10-159
event management 10-157
editing 10-158
Event Type 6-73
event type group ranking 7-94
event type ranking 7-94
Expand All 6-74
expired
accounts 3-26
expired certificate 11-174
F
false positives
tuning 6-75
fingerprint validation 11-172
G
Global Controller i-xxv
adding Local Controllers to 2-8
and Local Controllers 2-19, 4-41, 6-71, 7-89, 8-113, 8-115, 10-163
Network Summary page 4-41
queries 7-89
user interface i-xxv
user management 10-163
Global Controller
overview 1-1
H
hardware maintenance
MARS 100, 100E, 200, GCM, GC 11-176
Hot Spot Graph 4-55
I
incident count 7-96
Incident Details page 6-74
Incident ID 6-73
Incident Path 6-73
incidents 4-53
action 6-73
event type 6-73
incident ID 6-73
incident path 6-73
incident vector 6-73
instances 6-75
matched rule 6-73
severity 6-73
time 6-73
time ranges 6-73
incidents table
navigation 6-73
incident table 6-75
Incident Vector 6-73
inspection rule
activate and inactive 8-128
inspection rules
adding 8-130
editing 8-129
inspection rule status
changing 8-128
instances
incidents 6-75
interoperability
local controllers and global controllers 2-7
IP groups
adding 10-160
editing 10-160
IP management 10-159
adding
IP range 10-160
network 10-160
variable 10-160
L
L2 attack path 6-75
L3 attack path 6-75
Local Controller 2-19, 4-41, 6-71, 7-89, 8-113, 8-115, 10-163
log files 11-170
Login Failure
procedure to unlock 3-37
M
MAC address report 7-96
management
events 10-157
IP 10-159
service 10-161
user 10-162
MARS
audit trail 11-171
log files 11-170
matched incident ranking 7-95
Matched Rule 6-73
matched rule ranking 7-95
mitigate 6-75
N
NAT connection report 7-96
network group ranking 7-94
network ranking 7-94
Network Status tab
Incidents 4-58
Top Destinations 4-58
Top Event Types 4-58
Top Sources 4-58
O
Order/Rank By 7-96
order by 7-96
bytes transmitted 7-96
incident count 7-96
session count 7-96
time 7-96
P
password
change default 11-172
post NAT destination addresses 7-99
post NAT source addresses 7-99
pre NAT destination addresses 7-99
pre NAT source addresses 7-99
protocol ranking 7-95
Q
queries
action
ANY 7-101
actions 7-101
destination IP 7-99
ANY 7-99
devices 7-100
IP addresses 7-99
IP ranges 7-99
networks 7-99
post NAT destination addresses 7-99
pre NAT destination addresses 7-99
devices 7-100
display format
all matching event raw messages 7-96
all matching events 7-96
all matching sessions 7-95
destination IP address ranking 7-95
destination ranking 7-95
event type group ranking 7-94
MAC address report 7-96
matched incident ranking 7-95
matched rule ranking 7-95
NAT connection report 7-96
protocol ranking 7-95
reporting device ranking 7-95
reporting device type ranking 7-95
source IP address ranking 7-94
source port ranking 7-95
unknown event report 7-96
use only firing events 7-97
event type grouping 7-100
event types 7-100
ANY 7-100
operation
result format
destination network group ranking 7-95
destination network ranking 7-95
event type ranking 7-94
network group ranking 7-94
network ranking 7-94
reported user ranking 7-95
source network group ranking 7-94
source network ranking 7-94
rule 7-101
ANY 7-101
save as
reports 7-101
rules 7-101
service
ANY 7-100
defined services 7-100
service variables 7-100
severity
ANY 7-100
green 7-100
red 7-100
yellow 7-100
source IP
ANY 7-99
devices 7-99
IP addresses 7-99
IP ranges 7-99
networks 7-99
post NAT source addresses 7-99
pre NAT source addresses 7-99
variables 7-99
time range
last 7-96
start and end times 7-96
zone 7-100
query
display format 7-94
Query page 7-89
R
rank by 7-96
bytes transmitted 7-96
incident count 7-96
session count 7-96
time 7-96
removing
user 10-166
report
adding 7-110
delete 7-111
edit 7-111
new 7-110
reported user ranking 7-95
reporting device ranking 7-95
reporting device type ranking 7-95
reports
reports, view type, CSV 7-109
reports, view type, recent 7-109
reports,view type, total 7-109
reports, view types 7-108
report views, CSV 7-109
report views, peak, reports, view type, peak 7-109
report views, recent 7-109
report views, total 7-109
rules
destination IP
ANY 8-119
devices 8-119
DISTINCT 8-119
IP addresses 8-119
IP ranges 8-119
Network Groups 8-119
networks 8-119
SAME 8-119
variables 8-119
device 8-122
ANY 8-122
Unknown Reporting Device 8-122
variables 8-122
event type grouping 8-121
event types 8-121
ANY 8-121
variables 8-121
reported user
ANY 8-122
Invalid User Name 8-122
NONE 8-122
variables 8-122
service
ANY 8-120
defined groups 8-121
defined services 8-121
service variables 8-120
severity
ANY 8-123
green 8-123
red 8-123
yellow 8-123
source IP
devices 8-118
IP addresses 8-118
IP ranges 8-118
Network Groups 8-118
networks 8-118
variables 8-118
runtime logging 11-169
S
see CVE 10-158
service
adding 10-162
deleting 10-162
editing 10-162
editing groups 10-161
service group
adding 10-161
service management 10-161
service provider
services
adding group 10-161
session count 7-96
setting
runtime logging levels 11-169
Severity icons 6-73
Short Message Service
See SMS. 8-126
Simple Network Management Protocol
See SNMP. 8-126
source IP address ranking 7-94
source network group ranking 7-94
source network ranking 7-94
source port ranking 7-95
SSH
fingerprint validation 11-172
SSL
certificate validation 11-172
stacked charts 4-58
T
table
incidents 6-75
Time 6-73
Timeout Interval, setting for GUI and CLI 4-46
time ranges
incidents 6-73
Topology
toggle device display 4-57
tuning
false positives 6-75
U
unknown event report 7-96
unlock
after login failure 3-37
CLI command
after login failure 3-26
use only firing events 7-97
user
editing 10-166
removing 10-166
user group
adding 10-166
user management 10-162
roles defined 10-163
V
validation
fingerprint 11-172