User Guide for Cisco Security MARS Global Controller, Release 4.3.x - Management Tab Overview [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Management Tab Overview

Activating

To activate a set of management additions or changes

Event Management

Search for an Event Description or CVE Names

To view a list of all currently supported CVEs

Event Groups

To filter by event groups or severity

Edit a Group of Events

Add a Group

IP Management

Search for an Address, Network, Variable, or Host

Filter by Groups

Edit a Group

Add a Group

Add a Network, IP Range, or Variable

Service Management

Search for a Service

Add a Group of Services

Edit a Group of Services

Add a Service

Edit a Service

Delete a Service

User Management

Add a New User

Add a Service Provider (Cell phone/Pager)

Search for a User

Edit or Remove a User

Create a User Group

Add or Remove a User from a User Group

Filter by Groups

Promoting Global User Roles on Local Controller

Management Tab Overview

Revised: April 5, 2007, OL-14648-02

Use the management features in the Global Controller to assign: event, addressing, service, and user information. This information is used in rules, queries, and to determine false positives.

Activating

In general, you need to activate changes in the Management tabs if the changes are part of a rule.

To activate a set of management additions or changes

Step 1 When changes (or additions) are complete, activate them by clicking Activate.

Figure 10-1 Clicking the Activate Button

Event Management

To open the Event Management sub-tab, click the Management > Event Management tabs.

On the Event Management page, you can search and filter events and event groups, and work with groups of events.

Search for an Event Description or CVE Names

You can search for partial matches of event descriptions or Common Vulnerabilities and Exposures (CVE) names.

Step 1 Enter the text that you want to search for in the Search field.

Step 2 Click Search.

To view a list of all currently supported CVEs

Step 1 Enter CVE into the Search field.

Step 2 Click Search.

Event Groups

Using and creating event groups is one of the most powerful ways to leverage rules. You can take any of the events presented here, group them, and then use them with rules to concentrate your searches for attacks.

To filter by event groups or severity

From the appropriate list, select the group or severity.

Edit a Group of Events

Note You can not edit system-defined groups.

Step 1 Select the group in the Select Group list.

Step 2 Click Edit Group.

Step 3 Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it.

Step 4 Click Add or Remove to move highlighted items as needed.

Step 5 Click Submit.

Add a Group

Step 1 Click Add.

Step 2 In the Name field, enter a name for the group.

Step 3 In the Available field, click each group that you want to add to highlight it. Click it again to de-highlight it.

Step 4 Click Add.

Step 5 Click Submit.

IP Management

The IP Management page, accessed by clicking Management > IP Management, enables the definition of network assets that you use as building blocks for inspection rules, drop rules, reports and queries, topology discovery schedules, and in defining reporting devices and mitigation devices. You can define assets as networks, IP ranges, or hosts. You can also defined named variables for use within inspection rules.

The vulnerability assessment information that you define for a host, specifically the operating system type and patch level and the known services that run on the host, assists MARS in determining false positives.

Tip You can filter the list of objects displayed by the View list box. This selection allows you to filter to hosts, networks, IP ranges, or variables.

Note A Global Controller pushes any global IP Management Groups to the active Local Controllers that it manages.

Search for an Address, Network, Variable, or Host

Step 1 Enter the text that you want to search for in the Search field.

Step 2 Click Search.

Filter by Groups

From the Select Group list, select the group.

Edit a Group

Step 1 Select Management > IP Management.

The IP Management page appears.

Step 2 Select the group in the Select Group list.

Step 3 Click Edit Group.

Step 4 Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it.

Step 5 Click Add or Remove to move highlighted items as needed.

Step 6 Click Submit.

Add a Group

Step 1 Select Management > IP Management.

The IP Management page appears.

Step 2 Click Add Group.

Step 3 In the Name field, enter a name for the group.

Step 4 In the Available field, click a group to highlight it. To de-highlight an item, click it again.

Step 5 Click Add to move the selected Event Type Groups into the Chosen field.

Step 6 Click Submit.

Add a Network, IP Range, or Variable

Step 1 Select Management > IP Management.

The IP Management page appears.

Figure 10-2 Add a Network, IP Range, or Variable

Step 2 Click Add.

Step 3 In the Type list select: network, IP range, or variable.

Step 4 For each type enter the appropriate information.

•Network: name, network IP, network mask

•IP range: name and range

•Variable: variable name

Step 5 Click Submit.

Service Management

To open the Service Management sub-tab, click the Management > Service Management tabs.

Service is a combination of source port, destination port and protocol. The Service Management page displays services and their descriptions, ports and protocols. On the Service Management page, you can work with the services on your networks.

Search for a Service

Step 1 Enter the text that you want to search for in the Search field.

Step 2 Click Search.

To filter by service groups

From the appropriate list, select the group.

Add a Group of Services

Step 1 Click Add.

Step 2 In the Name field, enter a name for the group.

Step 3 In the Available field, click items to select them, and click them again to de-select them.

Step 4 Click Add.

Step 5 Click Submit.

Edit a Group of Services

Note You can not edit system-defined groups.

Step 1 Select the group in the Select Group list.

Step 2 Click Edit Group.

Step 3 Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it.

Step 4 Click Add or Remove to move the highlighted items as needed.

Step 5 Click Submit.

Add a Service

Step 1 Click Add.

Step 2 Enter the service's details.

Step 3 Click Submit.

Edit a Service

Step 1 Check the box next to the service.

Step 2 Click Edit.

Step 3 Make your changes, and click Submit.

Delete a Service

Step 1 Check the box next to the service.

Step 2 Click Delete.

Step 3 On the confirmation page, click Yes.

User Management

MARS supports local authentication of MARS users; user credentials are stored the MARS Appliance in SHA-1 cryptographic hash format. Each MARS Appliance only has one Administrative account, pnadmin. This account is the only account with privileges to access the command line interface via SSH or direct console connection.

The User Management page allows you to manage other users and administrators of the MARS system, including the roles and groups to which those users belong. On this page, you can define new user accounts, enabling access to specific features of the web interface. You can define user-specific notification settings for the user, such as a valid e-mail address or pager number. Some system-wide settings, such as pager and cell phone service provider settings, are also accessible exclusively through this page. To access the User Management page, click either Management > User Management or Admin > User Management.

In MARS, four separate user roles exist that can be assigned to any user who needs to access the web interface:

•Admin has full read/write privileges. Users in this role can define new users with any desired role. Users in the role can change the password settings of the accounts in any user role.

•Security Analyst has full read privileges but is restricted to write for reports privileges. Users in this role can only define new users (and change passwords of users) with the Notifications Only role.

•Operator has read only privileges. Users in this role cannot define new users or change passwords, even of their own user account.

•Notifications Only. This user role has no permissions to access to the MARS web interface; use this role to identify users who will receive notifications, such as e-mail, SMS, or pager notifications.

No limit exists on the number of user accounts that can be defined in MARS.

While roles are system defined, you can define, edit, and delete user groups. For more information, see Create a User Group and Add or Remove a User from a User Group.

Users created on the Global Controller are propagated down to the Local Controller with one notable exception: the user "pnadmin" is always local to the Global Controller or Local Controller on which it is first created.

When you create users with the same login name or the same first name/last name combination on both the Global Controller and a Local Controller, both appear in the list of users on the Local Controller: once as a local user, once as global.

Global users are maintained only on the Global Controller; local users are maintained only on individual Local Controllers. Users created on Local Controllers are not propagated up to the Global Controller. If you want a user of a Local Controller to have access to the Global Controller or any of its information, you must also create that user at the Global Controller level.

Good security practices suggest strong passwords for use with the MARS Appliances. When defining user names and password, keep the following guidelines in mind:

Login names and passwords:

•can be alphanumeric characters

•can contain special characters (!, @, #, etc.)

•cannot contain single or double quotes (`or ")

•are case sensitive

Login names can have up to 20 characters. Passwords can have up to 64 characters.

Add a New User

Defining a new user involves specifying the user name, password, role, contact information, PGP key (Global Controller only), and notification information.

To add a new user, follow these steps:

Step 1 From the Management > User Management tab, click Add. The User Configuration page appears, as shown in Figure 10-3.

Figure 10-3 User Configuration Page

Step 2 From the Role field, select a Role for the user.

•Admin: has full use of Global Controller.

•Notification Only: for a non-user of the Global Controller appliance, use this to send alerts to people who are not admins, security analysts, or operators.

•Operator: has read-only privileges.

•Security Analyst: has full use of Global Controller, except cannot access the Admin tab

Step 3 Create or change the user's password if necessary.

Step 4 Enter the user's credentials and personal information.
The information can include the following:

•First name

•Last name

•Organization name

•Email address

•PGP Key

•Short Message Service (SMS) number—for example, 8885551212@servprov.com

•Work telephone number

•Home telephone number

•FAX number

•Pager number— may also be a mobile telephone number, for example, 5552345678

Step 5 If you are creating a notification by pager, go to the next section, "Add a Service Provider (Cell phone/Pager)", otherwise click Submit to complete the procedure for adding a user.

Add a Service Provider (Cell phone/Pager)

When configuring a notification by pager, add a service provider (cell phone or pager company) by completing the following procedure:

Step 1 From the Service Provider field, select New Provider. Additional fields appear, as shown in Figure 10-4.

The pull-down menu is populated as you add new service providers.

Figure 10-4 Select a New Provider and Provide Contact Details

Step 2 In the Provider Name field, enter the name of the service provider.

Step 3 In the Provider Phone No field, enter the service provider's telephone number.

This is the number the service provider uses for accepting alpha-numeric messages using the IXO/TAP protocol. The format is like a regular phone number, such as: 18001234567. The format of 1-800-1234567 is also acceptable. If dialing "9" is required to access a number outside your private branch exchange, type a "9," before the full telephone number (for example, 9,1-800-1234567).

Step 4 In the Provider Baudrate field, enter the baud rate specified by the provider.

This is the baud rate the service provider requires for the specified phone number. Common values are 1200, 2400, 4800, and 9600.

Consult your service provider's website for more information on their baud rates.

Step 5 Click Submit to close the User Configuration page and return to the User Management tab.

Search for a User

Step 1 Enter the text that you want to search for in the Search field.

Step 2 Click Search.

Edit or Remove a User

Step 1 Form the Management User tab, check the box next to the user's name.

Step 2 Click Delete to delete the user.

Step 3 Click Edit to change the user's configuration information.
The User Configuration page appears.

Step 4 Edit the User Configuration page.

Step 5 Click Submit.

Create a User Group

Step 1 Click Add Group.

Step 2 In the Name field, enter a name for the group.

Step 3 To add to the group, check the users from the list on the right hand side. Click Add.
The checked names move to the lefthand side of the dialog box.

Step 4 To remove users from the group, select the users from the left hand side with Ctrl+click . Click Remove. The selected names move to the righthand side of the dialog box.

Step 5 Click Submit.

Add or Remove a User from a User Group

To add or remove a user from a custom User Group, do the following steps:

Note Admin, Operator, Notification, and Security Analyst are system groups and cannot be edited. The user is automatically added to the User Group that corresponds to their role.

Step 1 Select the User Group from the Select Group field. The members of the group are displayed.

Step 2 Click Edit Group. The User Group dialog box appears.

Step 3 To add to the group, check the users from the list on the right hand side. Click Add.
The checked names move to the lefthand side of the dialog box.

Step 4 To remove users from the group, select the users from the left hand side with Ctrl+click . Click Remove. The selected names move to the righthand side of the dialog box.

Step 5 Click Submit. You are returned to the User Management tab.

Filter by Groups

From the Select Group list, select the group. Only the members of the group are displayed.

Promoting Global User Roles on Local Controller

A global "Admin" user can log into the Local Controller and promote a global "System Analyst" or "Operator" user to a higher role. For example, a global "Operator" can be promoted to become an "Admin" or "System Analyst" on the Local Controller. However, his/her role as an "operator" on the Global Controller remains the same because the changes remain on the local controller and do not get pushed up to the Global Controller. Once these users get promoted to a higher role, they can't be demoted afterward.

Global "Notification" users cannot be promoted given that these users have no login password information.

	User Guide for Cisco Security MARS Global Controller, Release 4.3.x
	Management Tab Overview
User Guide for Cisco Security MARS Global Controller, Release 4.3.x Preface Introduction Configuring the Global Controller Authenticating MARS Accounts with External AAA Servers Network Summary Case Management Incident Investigation and Mitigation Queries and Reports Rules Sending Alerts and Incident Notifications Management Tab Overview System Maintenance Cisco Security MARS XML API Reference Regular Expression Reference Date/Time Format Specfication System Rules and Reports Glossary Index	Download this chapter Management Tab Overview Download the complete book User Guide for Cisco Security MARS Global Controller, Release 4.3.x (PDF - 9 MB) Table Of Contents Management Tab Overview Activating To activate a set of management additions or changes Event Management Search for an Event Description or CVE Names To view a list of all currently supported CVEs Event Groups To filter by event groups or severity Edit a Group of Events Add a Group IP Management Search for an Address, Network, Variable, or Host Filter by Groups Edit a Group Add a Group Add a Network, IP Range, or Variable Service Management Search for a Service Add a Group of Services Edit a Group of Services Add a Service Edit a Service Delete a Service User Management Add a New User Add a Service Provider (Cell phone/Pager) Search for a User Edit or Remove a User Create a User Group Add or Remove a User from a User Group Filter by Groups Promoting Global User Roles on Local Controller Management Tab Overview Revised: April 5, 2007, OL-14648-02 Use the management features in the Global Controller to assign: event, addressing, service, and user information. This information is used in rules, queries, and to determine false positives. Activating In general, you need to activate changes in the Management tabs if the changes are part of a rule. To activate a set of management additions or changes Step 1 When changes (or additions) are complete, activate them by clicking Activate. Figure 10-1 Clicking the Activate Button Event Management To open the Event Management sub-tab, click the Management > Event Management tabs. On the Event Management page, you can search and filter events and event groups, and work with groups of events. Search for an Event Description or CVE Names You can search for partial matches of event descriptions or Common Vulnerabilities and Exposures (CVE) names. Step 1 Enter the text that you want to search for in the Search field. Step 2 Click Search. To view a list of all currently supported CVEs Step 1 Enter CVE into the Search field. Step 2 Click Search. Event Groups Using and creating event groups is one of the most powerful ways to leverage rules. You can take any of the events presented here, group them, and then use them with rules to concentrate your searches for attacks. To filter by event groups or severity From the appropriate list, select the group or severity. Edit a Group of Events Note You can not edit system-defined groups. Step 1 Select the group in the Select Group list. Step 2 Click Edit Group. Step 3 Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it. Step 4 Click Add or Remove to move highlighted items as needed. Step 5 Click Submit. Add a Group Step 1 Click Add. Step 2 In the Name field, enter a name for the group. Step 3 In the Available field, click each group that you want to add to highlight it. Click it again to de-highlight it. Step 4 Click Add. Step 5 Click Submit. IP Management The IP Management page, accessed by clicking Management > IP Management, enables the definition of network assets that you use as building blocks for inspection rules, drop rules, reports and queries, topology discovery schedules, and in defining reporting devices and mitigation devices. You can define assets as networks, IP ranges, or hosts. You can also defined named variables for use within inspection rules. The vulnerability assessment information that you define for a host, specifically the operating system type and patch level and the known services that run on the host, assists MARS in determining false positives. Tip You can filter the list of objects displayed by the View list box. This selection allows you to filter to hosts, networks, IP ranges, or variables. Note A Global Controller pushes any global IP Management Groups to the active Local Controllers that it manages. Search for an Address, Network, Variable, or Host Step 1 Enter the text that you want to search for in the Search field. Step 2 Click Search. Filter by Groups From the Select Group list, select the group. Edit a Group Step 1 Select Management > IP Management. The IP Management page appears. Step 2 Select the group in the Select Group list. Step 3 Click Edit Group. Step 4 Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it. Step 5 Click Add or Remove to move highlighted items as needed. Step 6 Click Submit. Add a Group Step 1 Select Management > IP Management. The IP Management page appears. Step 2 Click Add Group. Step 3 In the Name field, enter a name for the group. Step 4 In the Available field, click a group to highlight it. To de-highlight an item, click it again. Step 5 Click Add to move the selected Event Type Groups into the Chosen field. Step 6 Click Submit. Add a Network, IP Range, or Variable Step 1 Select Management > IP Management. The IP Management page appears. Figure 10-2 Add a Network, IP Range, or Variable Step 2 Click Add. Step 3 In the Type list select: network, IP range, or variable. Step 4 For each type enter the appropriate information. •Network: name, network IP, network mask •IP range: name and range •Variable: variable name Step 5 Click Submit. Service Management To open the Service Management sub-tab, click the Management > Service Management tabs. Service is a combination of source port, destination port and protocol. The Service Management page displays services and their descriptions, ports and protocols. On the Service Management page, you can work with the services on your networks. Search for a Service Step 1 Enter the text that you want to search for in the Search field. Step 2 Click Search. To filter by service groups From the appropriate list, select the group. Add a Group of Services Step 1 Click Add. Step 2 In the Name field, enter a name for the group. Step 3 In the Available field, click items to select them, and click them again to de-select them. Step 4 Click Add. Step 5 Click Submit. Edit a Group of Services Note You can not edit system-defined groups. Step 1 Select the group in the Select Group list. Step 2 Click Edit Group. Step 3 Click each group in the Chosen and Available fields to highlight it. Click it again to de-highlight it. Step 4 Click Add or Remove to move the highlighted items as needed. Step 5 Click Submit. Add a Service Step 1 Click Add. Step 2 Enter the service's details. Step 3 Click Submit. Edit a Service Step 1 Check the box next to the service. Step 2 Click Edit. Step 3 Make your changes, and click Submit. Delete a Service Step 1 Check the box next to the service. Step 2 Click Delete. Step 3 On the confirmation page, click Yes. User Management MARS supports local authentication of MARS users; user credentials are stored the MARS Appliance in SHA-1 cryptographic hash format. Each MARS Appliance only has one Administrative account, pnadmin. This account is the only account with privileges to access the command line interface via SSH or direct console connection. The User Management page allows you to manage other users and administrators of the MARS system, including the roles and groups to which those users belong. On this page, you can define new user accounts, enabling access to specific features of the web interface. You can define user-specific notification settings for the user, such as a valid e-mail address or pager number. Some system-wide settings, such as pager and cell phone service provider settings, are also accessible exclusively through this page. To access the User Management page, click either Management > User Management or Admin > User Management. In MARS, four separate user roles exist that can be assigned to any user who needs to access the web interface: •Admin has full read/write privileges. Users in this role can define new users with any desired role. Users in the role can change the password settings of the accounts in any user role. •Security Analyst has full read privileges but is restricted to write for reports privileges. Users in this role can only define new users (and change passwords of users) with the Notifications Only role. •Operator has read only privileges. Users in this role cannot define new users or change passwords, even of their own user account. •Notifications Only. This user role has no permissions to access to the MARS web interface; use this role to identify users who will receive notifications, such as e-mail, SMS, or pager notifications. No limit exists on the number of user accounts that can be defined in MARS. While roles are system defined, you can define, edit, and delete user groups. For more information, see Create a User Group and Add or Remove a User from a User Group. Users created on the Global Controller are propagated down to the Local Controller with one notable exception: the user "pnadmin" is always local to the Global Controller or Local Controller on which it is first created. When you create users with the same login name or the same first name/last name combination on both the Global Controller and a Local Controller, both appear in the list of users on the Local Controller: once as a local user, once as global. Global users are maintained only on the Global Controller; local users are maintained only on individual Local Controllers. Users created on Local Controllers are not propagated up to the Global Controller. If you want a user of a Local Controller to have access to the Global Controller or any of its information, you must also create that user at the Global Controller level. Good security practices suggest strong passwords for use with the MARS Appliances. When defining user names and password, keep the following guidelines in mind: Login names and passwords: •can be alphanumeric characters •can contain special characters (!, @, #, etc.) •cannot contain single or double quotes (`or ") •are case sensitive Login names can have up to 20 characters. Passwords can have up to 64 characters. Add a New User Defining a new user involves specifying the user name, password, role, contact information, PGP key (Global Controller only), and notification information. To add a new user, follow these steps: Step 1 From the Management > User Management tab, click Add. The User Configuration page appears, as shown in Figure 10-3. Figure 10-3 User Configuration Page Step 2 From the Role field, select a Role for the user. •Admin: has full use of Global Controller. •Notification Only: for a non-user of the Global Controller appliance, use this to send alerts to people who are not admins, security analysts, or operators. •Operator: has read-only privileges. •Security Analyst: has full use of Global Controller, except cannot access the Admin tab Step 3 Create or change the user's password if necessary. Step 4 Enter the user's credentials and personal information. The information can include the following: •First name •Last name •Organization name •Email address •PGP Key •Short Message Service (SMS) number—for example, 8885551212@servprov.com •Work telephone number •Home telephone number •FAX number •Pager number— may also be a mobile telephone number, for example, 5552345678 Step 5 If you are creating a notification by pager, go to the next section, "Add a Service Provider (Cell phone/Pager)", otherwise click Submit to complete the procedure for adding a user. Add a Service Provider (Cell phone/Pager) When configuring a notification by pager, add a service provider (cell phone or pager company) by completing the following procedure: Step 1 From the Service Provider field, select New Provider. Additional fields appear, as shown in Figure 10-4. The pull-down menu is populated as you add new service providers. Figure 10-4 Select a New Provider and Provide Contact Details Step 2 In the Provider Name field, enter the name of the service provider. Step 3 In the Provider Phone No field, enter the service provider's telephone number. This is the number the service provider uses for accepting alpha-numeric messages using the IXO/TAP protocol. The format is like a regular phone number, such as: 18001234567. The format of 1-800-1234567 is also acceptable. If dialing "9" is required to access a number outside your private branch exchange, type a "9," before the full telephone number (for example, 9,1-800-1234567). Step 4 In the Provider Baudrate field, enter the baud rate specified by the provider. This is the baud rate the service provider requires for the specified phone number. Common values are 1200, 2400, 4800, and 9600. Consult your service provider's website for more information on their baud rates. Step 5 Click Submit to close the User Configuration page and return to the User Management tab. Search for a User Step 1 Enter the text that you want to search for in the Search field. Step 2 Click Search. Edit or Remove a User Step 1 Form the Management User tab, check the box next to the user's name. Step 2 Click Delete to delete the user. Step 3 Click Edit to change the user's configuration information. The User Configuration page appears. Step 4 Edit the User Configuration page. Step 5 Click Submit. Create a User Group Step 1 Click Add Group. Step 2 In the Name field, enter a name for the group. Step 3 To add to the group, check the users from the list on the right hand side. Click Add. The checked names move to the lefthand side of the dialog box. Step 4 To remove users from the group, select the users from the left hand side with Ctrl+click . Click Remove. The selected names move to the righthand side of the dialog box. Step 5 Click Submit. Add or Remove a User from a User Group To add or remove a user from a custom User Group, do the following steps: Note Admin, Operator, Notification, and Security Analyst are system groups and cannot be edited. The user is automatically added to the User Group that corresponds to their role. Step 1 Select the User Group from the Select Group field. The members of the group are displayed. Step 2 Click Edit Group. The User Group dialog box appears. Step 3 To add to the group, check the users from the list on the right hand side. Click Add. The checked names move to the lefthand side of the dialog box. Step 4 To remove users from the group, select the users from the left hand side with Ctrl+click . Click Remove. The selected names move to the righthand side of the dialog box. Step 5 Click Submit. You are returned to the User Management tab. Filter by Groups From the Select Group list, select the group. Only the members of the group are displayed. Promoting Global User Roles on Local Controller A global "Admin" user can log into the Local Controller and promote a global "System Analyst" or "Operator" user to a higher role. For example, a global "Operator" can be promoted to become an "Admin" or "System Analyst" on the Local Controller. However, his/her role as an "operator" on the Global Controller remains the same because the changes remain on the local controller and do not get pushed up to the Global Controller. Once these users get promoted to a higher role, they can't be demoted afterward. Global "Notification" users cannot be promoted given that these users have no login password information.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.