Table Of Contents
Preface
Audience
Organization
Conventions
Obtaining Documentation and Submitting a Service Request
Preface
This guide describes how to use the web interface in the Local or Global Controller to administer and monitor your network.
Audience
People need to read.
Organization
This document contains the following chapters and appendixes:
•
Chapter 1, "Introduction to MARS"—This chapter defines components of the Cisco Security Monitoring, Analysis, and Response System (MARS), introduces the Global Controller and the Local Controller, and presents its basic features and deployment options.
•Chapter 2, "Security Threat Mitigation (STM) Task Flow Overview"—This chapter recommends a taskflow for planning and implementing your security threat mitigation system. It ties back to your corporate security policies and presents a structure deployment and configuration strategy based on two phases: provisioning and monitoring.
•Chapter 3, "Reports and Mitigation Devices Overview"—
•Chapter 4, "Rules"—This chapter covers defining and use inspection rules.
•Chapter 5, "Alerts and Incident Notifications"—This chapter details the MARS configuration required to send an alert based on an inspection rule.
•Chapter 6, "Management Tab Overview"—This chapter details how to manage events, networks, variables, hosts, services, and MARS users.
•Chapter 7, "Network Summary"—This chapter details the Summary tab, which includes the Dashboard, the Network Status, and the My Reports pages and, on the Global Controller only, the Hotspots Diagram page.
•Chapter 8, "Queries and Reports"—This chapter covers working with scheduled and on-demand reports and queries. It also discussing using the real-time event viewer.
•Chapter 9, "Incident Investigation and Mitigation"—This chapter describes incidents and false positives and provides a starting point for configuring a Layer 2 path and mitigation to work with a MARS.
•Chapter 10, "Case Management"—This chapter covers using cases to provide accountability and improve workflow.
•Chapter 11, "Security Manager Policy Table Lookup from a MARS Event"—This chapter describes how to configure and use Security Manager and MARS so as to enable bi-directional lookup between events received by MARS and access rule and signature policy found in Security Manager.
•Chapter 12, "Botnet Traffic Filtering"—This chapter describes how MARS identifies and reports incidents associated with botnet event data captured by the Cisco ASA Botnet Traffic Filter.
•Chapter 13, "System Maintenance"—This chapter covers some of the maintenance chores for the MARS.
•Chapter 14, "Authenticating MARS Accounts with External AAA Servers"—External Authentication, Authorization and Accounting (AAA) servers can act as the authentication mechanism for MARS Appliance GUI logins (username and password). This permits authentication and centralized password management for all MARS Appliances. This chapter describes the AAA feature for the MARS Appliances.
•Chapter 15, "Monitoring Events from Custom and Unsupported Devices or Versions"—This chapter explains how to define custom device types and event types. These definitions enable a MARS Appliance to process events generated by an unsupported device type or version. This chapter also explains how to create custom packages to share across MARS Appliances. These packages include custom device types, event types definitions, rules, and reports. Last, it explains how to import and export custom packages from a MARS Appliance, as well as how to upload and download packages from the MARS forum on NetPro website.
•Appendix A, "Date/Time Format Specfication"—The date/time field parsing is supported using the Unix strptime() standard C library function.
•Appendix B, "Regular Expression Reference"—The syntax and semantics of the regular expressions supported by PCRE are described in this appendix.
•Appendix C, "DSF Event Type Group Reference"—
•Appendix D, "Cisco Security MARS XML API Reference"—This appendix presents the XML schema used by MARS for XML-based notifications.
•Appendix E, "System Rules and Reports"—Defines the system rules and reports providied with Cisco Secure MARS
Conventions
This document uses the following conventions:
Item
|
Convention
|
Commands, keywords, special terminology, and options that should be selected during procedures
|
boldface font
|
Variables for which you supply values and new or important terminology
|
italic font
|
Displayed session and system information, paths and file names
|
screen font
|
Information you enter
|
boldface screen font
|
Variables you enter
|
italic screen font
|
Menu items and button names
|
boldface font
|
Indicates menu items to select, in the order you select them.
|
Option > Network Preferences
|
Tip Identifies information to help you get the most benefit from your product.
Note Means reader take note. Notes identify important information that you should reflect upon before continuing, contain helpful suggestions, or provide references to materials not contained in the document.
Caution Means
reader be careful. In this situation, you might do something that could result in equipment damage, loss of data, or a potential breach in your network security.
Warning Identifies information that you must heed to prevent damaging yourself, the state of software, or equipment. Warnings identify definite security breaches that will result if the information presented is not followed carefully.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
