Table Of Contents
Queries and Reports
Understanding Queries
Global Controller Query Interface
Local Controller Query Interface
Selecting the Query Type
Result Format
Order/Rank By
Filter By Time
Use Only Firing Events
Maximum Number of Rows Returned
Select Query Criteria
Query Criteria Descriptions
Source IP
Destination IP
Service
Events
Device
Reported User
IPS Risk Rating
IPS Threat Rating
IPS Global Correlation Score
Keyword
Operation
Rule
Action
Saving the Query
Query Operations
Run a Quick Query
Run a Keyword Query
Batch Query Operations
Define and Run a Batch Query
Stop a Batch Query
Resubmit a Batch Query
Delete a Batch Query
Perform a Long-Duration Query Using a Report
Select Custom Columns for Query Result Display
View a Query Result in the Report Tab
Viewing Events in Real-time
Restrictions for Real-time Event Viewer
Invoke the Real-Time Event Viewer on a Local Controller
Reports
Global Controller Reports
Local Controller Reports
Report Type Views: Total vs. Peak vs. Recent
Report Charts and Graphs
Report Creation
Create a New Local Controller Report
Create a New Global Controller Report
Operations on Existing Reports
View a Report
Run a Report
Delete a Report
Edit a Report
Duplicate a Report
Queries and Reports
MARS provides a variety of features for defining, viewing, and saving queries and reports. The essential distinction between queries and reports is that queries are typically shorter, reactive, and their specifications not recorded, while reports tend to be longer, and have specifications defined and recorded in the system. However, a query can be saved as a report or a rule for later use, and a report (even a scheduled report) can be can be run on demand. (For information on rules see Rules Overview, page 4-1; for a list, see the appendix System Rules by Category, page E-1).
A batch query is a larger scale query that (may) require extensive processing, and is run in the background. Whenever you run a query that appears as though it might require extensive processing, MARS provides you with an option to run it as a batch query, that is, in the background.
MARS comes with a series of "stock" pre-defined reports that you can use as they are, or modify for your particular purpose. Reports can be duplicated or "cloned" and then edited to your particular requirements.
Defining queries and reports within MARS is essentially an exercise in using filters to define the parameters (what, where, when, and who) that comprise the information you wish to view.
Note 
Submitting a query or report that is exceedingly general and processes a large amount of data may consume more system resources-or time-than expected. Therefore, it is important to understand the scope of the queries. When you run a query as a batch query, you retain the ability to cancel it.
This chapter contains the following topics:
•Understanding Queries
•Query Operations
•Viewing Events in Real-time
•Reports
Understanding Queries
From the Query subtab, you can load and run reports as on-demand queries, or define and run a query. Many links from other pages bring you to the query subtab and partially populate the query's criteria. After you have submitted a query, you can save it as a report or a rule.
The scope of queries you can perform at a Global Controller differ from those at the Local Controller. These differences are detailed in the sections that follow:
This section contains the following topics:
•Global Controller Query Interface
•Local Controller Query Interface
•Selecting the Query Type
•Select Query Criteria
•Query Criteria Descriptions
•Saving the Query
Global Controller Query Interface
Queries performed at the Global Controller level are similar to those on an Local Controller, but also include the Zone parameter (see item (1) of Figure 8-1). You can run a query across one or more Local Controllers by specifying their zones. This enables a query at the Global Controller to select zone-specific objects.
When you submit a query from the Global Controller, it is sent out to the Local Controllers specified in the Zone parameter. The Local Controllers perform the actual query and send it back to the Global Controller, which then merges and presents the results at the global level.
Figure 8-1 The Global Controller Query Table
1
|
Click on Any to select the zone or zones that contain the Local Controllers you want to query.
|
2
|
Click to set the query type and time range criteria. See Selecting the Query Type
|
3
|
Click Clear to return query values to default values.
|
4
|
Quick query fields permit entry of IP and Service values without opening dialog box for the field.
|
5
|
Click on Any under a field value to open the dialog box for that field's criteria selection. See Select Query Criteria.
|
6
|
Save the query as a report or as a rule.
|
| |
|
7
|
Click Submit Batch to run the query.
|
Except for the Zone parameter, running queries on the Global Controller and Local Controller is done the same way.
Local Controller Query Interface
Making queries from a Local Controller is nearly identical to the Global Controller process, except that you can not specify a zone (the query simply runs on that Local Controller
The following table details local queries:
Figure 8-2 The Local Controller Query Table
1
|
Click to set the query type and time range criteria. See Selecting the Query Type
|
2
|
Click Clear to return query values to default values.
|
3
|
Quick query fields permit you to enter values without opening dialog box for the field.
|
4
|
Click on a field value to open the dialog box for that field. See Select Query Criteria.
|
5
|
Save the query as a report or as a rule.
|
6
|
Click Submit Inline to run the query.
|
Selecting the Query Type
Figure 8-3 Clicking the Query Type or Edit link
You can select different query criteria by clicking the Query Type link or Edit button as shown in Figure 8-3. Figure 8-4, as shown below, enables you to determine a query's result format, rank, time, whether it only uses only firing events, and the maximum number of rows returned.
Figure 8-4 The Query Criteria: Result Page
Each of these parameters, and profiles of the possible values within each, is further described in the subsections that follow.
This section contains the following topics:
•Result Format
•Order/Rank By
•Filter By Time
•Use Only Firing Events
•Maximum Number of Rows Returned
Result Format
•Event Type Ranking—Returns the most reported event types. Ranked by either: number of sessions containing at least one of the event type or by bytes transmitted in sessions that contain events that meet the query criteria.
•Event Type Group Ranking—Returns either pre-defined or user defined grouped event types. Ranked by either: number of sessions containing at least one event type contained in the group or by bytes transmitted in sessions that contain events that meet the query criteria.
•Network Group Ranking—Returns top network groups that exists in MARS. Ranked by either: number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria. If a network is excluded, it is excluded from all results.
•Network Ranking—Returns top networks that exists in MARS. Ranked by either: number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria. If a network is excluded, it is excluded from all results.
•Source Network Group Ranking—Returns top source network groups that exists in MARS. Ranked by either: number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria. If a network is excluded, it is excluded from all results.
•Source Network Ranking—Returns top source networks that exists in MARS. Ranked by either: number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria. If a network is excluded, it is excluded from all results.
•Source IP Address Ranking—Returns source IP addresses. Ranked by number of sessions with that source IP address or by bytes transmitted in sessions that contain events that meet the query criteria.
•Destination Network Group Ranking—Returns top destination network groups that exists in MARS. Ranked by either: number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria. If a network is excluded, it is excluded from all results.
•Destination Network Ranking—Returns top destination networks that exists in MARS. Ranked by either: number of sessions that contain events that meet the query criteria or by bytes transmitted in sessions that contain events that meet the query criteria. If a network is excluded, it is excluded from all results.
•Destination IP Address Ranking—Returns destination IP addresses. Ranked by either: number of sessions with that destination IP address or by bytes transmitted in sessions that contain events that meet the query criteria.
•Source Port Ranking—Returns source ports. Ranked by either: number of sessions with that source port or by bytes transmitted in sessions that contain events that meet the query criteria.
•Destination Port Ranking—Returns destination ports. Ranked by either: number of sessions with that destination port or by bytes transmitted in sessions that contain events that meet the query criteria.
•Protocol Ranking—Returns most used protocols. Ranked by either: number of sessions with that protocol or by bytes transmitted in sessions that contain events that meet the query criteria.
•Reporting Device Ranking—Returns most active reporting devices. Ranked by either: number of sessions that contain events from the device or by bytes transmitted in sessions that contain events that meet the query criteria.
•Reporting Device Type Ranking—Returns most active reporting device types. Ranked by either: number of sessions that contain events from a device of that type or by bytes transmitted in sessions that contain events that meet the query criteria.
•Reported User Ranking—Returns information about users from reporting devices such as: Windows clients, Solaris clients, etc. Ranked by either: number of sessions that contain events from a reported user or by bytes transmitted in sessions that contain events that meet the query criteria.
•Matched Rule Ranking—Returns top firing rules. Ranked by number of incidents.
•Matched Incident Ranking—Returns incidents. Ranked by either: number of sessions that contain events that meet the criteria that contributed to the incident or by bytes transmitted real time in sessions that contain events that meet the query criteria.
•All Matching Sessions—Returns incidents. Ranked by either: number of sessions that contain events that meet the criteria that contributed to the incident or by bytes transmitted real time in sessions that contain events that meet the query criteria.
•All Matching Sessions, Custom Columns—Returns incidents. Ranked by either: number of sessions that contain events that meet the criteria that contributed to the incident or by bytes transmitted real time in sessions that contain events that meet the query criteria. You can customize the number and order of the columns returned by this result format. For more information see Select Custom Columns for Query Result Display.
•All Matching Events—Returns events. Ranked by time with the most current first. Real Time results are available for this Result Type.
•All Matching Event Raw Messages—Returns the raw messages associated with events. Ranked by time with the most current first. Real Time results are available for this Result Type.
•NAT Connection Report—Returns NAT connections. Ranked by time with the most current first.
•MAC Address Report—Returns MAC addresses. Ranked by time with the most current first.
•Unknown Event Report—Returns events that are not fully processed by the MARS. In some cases, event information such as the five tuple (source IP, source port, destination IP, destination port, and protocol) might not be present, hence can not be queried in real time.
•Detailed NAC Report—Returns ACS syslog message elements that have been received and stored by MARS.
Order/Rank By
This selection determines the ranking or order of the query's results. These selections are determined by the kind of Result Format that you use when you run the query.
•Session Count—The number of sessions that contain events that meet the criteria that contributed to the incident.
•Bytes Transmitted—The number of bytes transmitted in sessions that contain events that meet the query criteria.
•Time—Most current results appear first.
•Incident Count—Largest number of incidents appear first.
Filter By Time
•Last—The present time minus the number of days, hours, and minutes entered.
•Start/End—The present time minus the number of days, hours, and minutes entered.
•Real Time—Streams rolling real-time results from recent past to current time. Result Formats that work in real time are:
–All Matching Sessions
–All Matching Events
–All Matching Event Raw Messages
Real Time results appear in a normal browser window. Moving the scroll bar stops the "rolling" behavior. Clicking Resume on the bottom of the page allows the scrolling to resume.
Figure 8-5 Click Resume to Start the Page Rolling
1
|
Top row visible
|
2
|
Bottom row visible
|
3
|
Total rows queried since start
|
4
|
Number of new queries pulled when this page last refreshed per the Page Refresh Rate setting on the Query/Reports > Batch Query page.
|
Use Only Firing Events
Select this if you want only events that fired incidents to return information.
Maximum Number of Rows Returned
Select the maximum number of rows that you want displayed.
Select Query Criteria
When you initially view the Query Event Data page, most the criteria are set to their default setting: Any, as shown in Figure 8-2. You can narrow and filter the criteria by clicking on Any under the criterion you wish to narrow. This opens the filtering page for that criterion, from which you select the filter elements to apply.
Step 1 Select the criterion that you want to filter by clicking on the corresponding word Any.
Figure 8-6 Clicking ANY to narrow your criteria, in this case, Destination IP
The filtering page for that criterion appears.
Step 2 Move the items that you want to query from the right to the left of the filter by selecting the check box next to them, and clicking the Equal and Not Equal buttons.
Figure 8-7 Selecting Variables
Step 3 You can select a variety of different variables, events, devices, addresses from the filter page. The following list numbers correspond with the numbers in the preceding graphic:
1. To change selected source items from equal to not equal, you check the boxes next to the items in the Sources Selected field (13) to select them, and click the Toggle Equal button.
2. To select all items in the Sources Selected field, click the Select All button. (Note: if you have items highlighted in the Sources Selected field, clicking Select All will de-select them.)
3. Filter variables with drop-down list, if shown. (Not all variables will present drop-down list.)
4. Use the Equal and Not Equal buttons to bring highlighted items from the Sources Available field (7) into the Sources Selected field(13).
5. Filter sources from this drop-down list.
6. Enter search text, and click Search to filter the Sources Available list to show items that match the search criteria You can then move all or some of them to the Sources Selected field.
7. The Sources Available list shows items that fit your currently selected criteria.
8. To add a new item to the Sources Available list, click the Add button. To edit or delete an existing source, click the Edit or Delete button. See IP Management, page 6-3 for more information.
9. To remove an item from the Sources Selected field, click the item or items and click the Remove button.
10. To move IP values up into the Sources Selected field, click the Equal
(Up) icon, or the Not Equal
(Up) icon.
11. To enter an IP address or Range to the Sources Selected field, select the radio button next to IP or Range, and enter an IP address, or a range of IP addresses, into their respective fields. (Then use the Equal or Not Equal buttons to move the value into the list.)
12. To group items in the Sources Selected field, select them, enter a group name, and click the Grouped As button.
13. After you have chosen the query criteria that interests you and they are listed in the Sources Selected field (13), click Apply to return to the Query page.
You can repeat this selection process for other query data.
Step 4 Click the Submit button to run the query.
Query Criteria Descriptions
The following lists describe the selections in the Query Event Data table.
Source IP
•Pre NAT source addresses—Specifies that the constraints entered are the session endpoints.
•Post NAT source addresses—Specifies that the constraints entered are the source as appearing at the destination.
•ANY—No constraint is placed on the source IP addresses.
•Variables—Selections include All, Network Groups, All Networks, All Devices, All IP Addresses.
•IP—IP address(es) present on devices in the system or user entered dotted quads.
•Range—The range(s) of addresses between two dotted quads.
•Networks—Topologically valid networks.
•Devices—The hosts and reporting devices present in the system.
Destination IP
•Post NAT destination addresses—Specifies that the constraints entered are the session endpoints.
•Pre NAT destination addresses—Specifies that the constraints entered are the destination as appearing at the source.
•ANY—No constraint is placed on the source IP addresses.
•Variables—Selections include All, Network Groups, All Networks, All Devices, All IP Addresses.
•IP—IP address(es) present on devices in the system or user entered dotted quads.
•Range—The range(s) of addresses between two dotted quads.
•Networks—Topologically valid networks.
•Devices—The hosts and reporting devices present in the system.
Service
•ANY—No constraint is placed on the source or destination ports, or the protocol.
•Service variables—Any one set of destination port and protocol, only useful for queries in tandem with the same variable.
•Defined services—Services on the database. These services will be listed only after you have defined them.
Events
•ANY—No constraint on the event type.
•Event types—Events that have been merged into types.
•Event type groups—Groups of event types.
Device
•Device—The reporting devices present in the system. This restricts the query to a subset of the devices that report to the MARS.
Reported User
•Reported User—The reported users of the system. This restricts the query to a subset of known users and can include one or many specific users.
IPS Risk Rating
•IPS Risk Rating—Can be selected to restrict the query to:
–Match any event.
–Match events without a Risk Rating.
–Match events with a specified Risk Rating. (The value can be expressed as a specific range or by using Boolean operators.) See figure Figure 8-8.
IPS Threat Rating
•IPS Threat Rating—Can be selected to restrict the query to:
–Match any event.
–Match events without a Threat Rating.
–Match events with a specified Threat Rating. (The value can be expressed as a specific range or by using Boolean operators.) See figure Figure 8-8.
IPS Global Correlation Score
•IPS Global Correlation Score—Can be selected to restrict the query to:
–Match any event.
–Match events without a Global Correlation Score.
–Match events with a specified Global Correlation Score. (The value can be expressed as a specific range or by using Boolean operators.) See figure Figure 8-8.
Figure 8-8 Running a IPS-based query
Keyword
•Keyword—You can use this criteria to restrict the query on the basis of specific strings. You can add multiple strings and use operators such as AND/OR/NOT/None.
Figure 8-9 Running a free-form query
Operation
The operation field is not used as a query criterion. Leave it as the default: Any.
Rule
•Empty field- Rules Chosen field—When this field is empty, it acts like an ANY selection. No constraint is placed on the sub-set of events.
•Rule—Restricts the query to the sub-set of events that contributed to the incidents of the specified rules firing. Enables you to further specify rule criteria that include:
•Active system Rules
•Active User Rules
•Inactive Rules
•Specific Rule Groups
Action
•Empty field - Empty Actions Chosen field—When this field is empty, it acts like an ANY selection. No constraint is placed on the subset of events.
•Actions—Restricts the query to the subset of events that contributed to the incidents of rules that have the specified notifications as part of their actions.
Saving the Query
You can save your query (criteria selection) to re-use as a either a report, or as a rule.
•Save as a report—This takes the query that you are using and creates a report. For more information on creating reports, see the Reports section.
•Save as a rule—This takes the query to the rules page, populating the rules with the selected query criteria. Likely, you must identify additional criteria to complete the rule. For more information on creating rules, see Chapter 4, "Rules".
Query Operations
This section contains the following topics:
•Run a Quick Query
•Run a Keyword Query
•Batch Query Operations
•Perform a Long-Duration Query Using a Report
•Select Custom Columns for Query Result Display
•View a Query Result in the Report Tab
Run a Quick Query
You can use the quick query fields (see item (3) on Local Controller Query Interface) to enter IP and Service criteria without opening a dialog box for the field. This is a simple way to run a quick query.
To run a quick query, based on IP or Service criteria, follow these steps:
Step 1 From the Query subtab, enter any combination of Source IP, Destination IP, or Service into the query criteria fields. To enter a service, you must specify a port and protocol pair.
Step 2 Click the Apply button to load the value(s) into the query criteria table.
Step 3 Click the Submit Inline button to run the query.
The query results are displayed.
Run a Keyword Query
You can quickly create and run a query based on a keyword.
Tip Keyword queries might be simple constructions that you run one time, or elaborate constructions (that specify inclusion, combination, or exclusion of strings or combinations of strings) that are saved for repeated use as a report or rule.
Step 1 Limit the scope of the query, as desired, by entering a source IP, destination IP, or a Service into the corresponding criteria fields.
Step 2 From the Query subtab, locate the Query type: line and click Edit (see item (2) on Local Controller Query Interface).
a. Examine the Result Format criterion and change the selection as necessary.
b. Examine the Order/Rank By criterion and change the selection as necessary.
c. Examine the Filter by Time criterion and change the selection as necessary.
Tip Be sure that the Filter by Time criteria is set to match the scope you intend to examine.
d. Examine the Use Only Firing Events criterion and change the selection if necessary.
e. Examine the Maximum number of rows returned criterion and change the selection if necessary.
f. Click Apply.
Step 3 Click ANY below the Keyword heading.
Figure 8-10
The specify raw message keywords: box appears.
Step 4 Under Search String heading enter one or more strings to query; under Operation, select an operation (AND, OR, NOT) if desired. (For the final item in the list, set the Operation to None.
Tip To build a nested query, you can click the parentheses icon (
) to add parentheses or click the trash can icon (
) to remove parentheses from each line.
Step 5 Click Apply.
Step 6 Click Submit Inline to run the query.
MARS processes the keyword query and displays results. You are also given options to save the query as a report, or save it as a rule, or to submit it again.
Step 7 To save the query
Batch Query Operations
This section details procedures you can perform on batch queries.
This section contains the following topics:
•Define and Run a Batch Query
•Stop a Batch Query
•Resubmit a Batch Query
•Delete a Batch Query
Define and Run a Batch Query
A batch query runs in the background and its definition is recorded in the Batch Query Selection list under the Batch Query subtab. This list works in the same manner as the Report Selection list. To run a previous batch query you select it and click Resubmit. For more information see Run a Report).
When you first define a query, MARS calculates the time necessary to run the query and returns one of three results:
•Submit Inline—Indicates that the query is within normal processing capability and, although you cannot run it as batch query, you can still save the query as a report.
•Submit Batch—Indicates that the query exceeds normal processing capability and must be batch processed (run in the background).
•Submit . . .—Indicates that the query's processing requirements border on normal capability and may be submitted either as an inline or batch query. The option to run inline or as a batch appears, as shown in Figure 8-11(the Submit Batch button appears along with Submit Inline).
Note The display of the Submit Batch button is an indication that inline execution might take longer than the current time-out period allows. If you still decide to run the Query in inline mode, its completion cannot be guaranteed.
To define and run a batch query, follow these steps:
Step 1 Click the Query / Reports tab and, from Query subtab, enter your query type and criteria. For more information see Selecting the Query Typeand Select Query Criteria.
Step 2 Click Submit Batch or Submit..., which ever one is displayed. If you click Submit..., the following dialog box appears:
Figure 8-11 Choosing the Query Submission Method
To submit your query as a batch query, click Submit Batch. Your query is submitted, and you are automatically taken to the Batch Query tab.
Tip If your query is very large, you may only be given the options of Save as Rule, Save as Report, or Submit Batch. On the other hand, only Submit Inline appears if batch processing is not required.
Note The display of the Submit Batch button is an indication that inline execution might take longer than the current time-out period would allow. If you still decide to run the Query in inline mode, its completion cannot be guaranteed.
Note If your batch query is configured to filter by event and specifies a restriction by severity (Red, Yellow, Green), the Batch Query page lists the Query, but does not show the severity restriction. The batch query results list all results and criteria in the same format as the inline query results.
Figure 8-12 Select Batch Query
Step 3 To watch the status of the query in real-time, you can use the drop-down list to change the Page Refresh Rate from Never (the default) to 1 minute, 3 minutes, 5 minutes, 10 minutes, 15 minutes, or 30 minutes.
Step 4 To view the results of the batch query as it is running, click View Results. This can be done while the query is in progress.
If the email address in your user profile on the MARS is valid, the results of your batch query are emailed to you when the query has completed, and can also be viewed by clicking QUERY / REPORTS > Batch Query > View Results.
Note When you click View Results while the query is in progress, the results compiled up to that moment are recomputed. This can make the display take longer to appear.
Stop a Batch Query
Stopping a batch query can be done simply. However, there is no way to stop a query submitted inline.
Step 1 Click QUERY/REPORTS, then click the Batch Query tab.
Step 2 Click Stop.
The Status of the query changes to Finished.
Resubmit a Batch Query
You can resubmit a batch query if you want to restart it. A resubmitted batch query will use previously computed results, thus resulting in a faster query than one submitted for the first time.
Step 1 Click QUERY/REPORTS, then click the Batch Query tab.
Step 2 Click Resubmit.
The Status of the query changes to In Progress.
Delete a Batch Query
Step 1 Click QUERY/REPORTS, then click the Batch Query tab.
Step 2 Click Delete.
Step 3 In the confirmation window, click Delete to confirm.
Note You can only see your own batch queries and their results. The batch queries of others and their results are not viewable by you, and your batch queries and their results are not viewable by others.
Perform a Long-Duration Query Using a Report
This section explains how to create and view a long-duration query on the MARS. There are two ways to perform a long-duration query on the MARS:
1. Modify an existing report.
Advantages:
–The report is compiled relatively quickly.
–You can compile data gathered over a longer time period.
Disadvantage.
This type of query can only be used without any changes to query criteria other than time range, and can only be used with the following reports:
–Activity: All - Top Destination Ports
–Activity: All - Top Destinations
–Activity: All - Top Event Types
–Activity: All - Top Reporting Devices
–Activity: All - Top Sources
–Activity: Attacks Seen - Top Reporting Devices
–Activity: Denies - Top Destination Ports
–Activity: P2P File sharing/Chat - Top Event Types
–Activity: Scans - Top Destination Ports
–Activity: Scans - Top Destinations
–Activity: Unknown Events - All Events
–Activity: Web Usage - Top Destinations by Sessions
–Activity: Web Usage - Top Sources
–Attacks: All - Top Rules Fired
–Attacks: All - Top Sources
2. Perform a batch query.
Advantages:
–You can modify any of the query criteria.
–Best suited for data that spans a short time period.
Disadvantages
–This type of query can be slow and may take a substantial amount of time to complete.
–Only Admin users can perform a batch query.
For more information see Define and Run a Batch Query
If you want to observe activity on your MARS over a long period, you can edit an existing report that runs on a regular basis, such as hourly or daily, to run for a more extended period.
Note Trying to run a long-duration query using a report that only runs "on demand" has the same effect as running a query; it can take just as long because it has to compile data, whereas data from the regularly-run reports has been precompiled on an ongoing basis.
To query using a report, follow these steps:
Step 1 In the QUERY / REPORTS tab, click the Reports tab to obtain the Main Report window.
Figure 8-13 Main Report Window
Step 2 Navigate to and then click the radio button next to the regularly-scheduled report you want to modify (in this example, we use Activity: All - Top Destinations). Click the Query column to edit the report. The Build Report window appears.
Figure 8-14 Build Report window
Step 3 In the lower portion of the Build Report window, change the Time Range the report (Activity: All - Top Destinations) covers to the duration you want it to cover.
Step 4 Click the Submit button to run the report and return to the Main Report window.
Select Custom Columns for Query Result Display
When you have a query type that specifies the All Matching Sessions, Custom Columns result format, you can select the number and order of the results returned for display. (For more information see Selecting the Query Type.)
To set the number and order of columns in an All Matching Sessions report, follow these steps:
Step 1 From the Query/Report tab, click Edit on the Query Type line.
The system displays Figure 8-4.
Step 2 From the Result Format list, select All Matching Sessions, Custom Columns.
Figure 8-15 Result Page: Custom Columns
The Query Criteria Result Page changes to show the Select Columns list boxes in place of the single Order/Rank By list box.
Step 3 From the top, use the Select Columns list boxes to select one or more columns you want displayed.
Note The results will be sorted on the first column you select.
Step 4 Specify the Filter By Time, Use Only Firing Events, and Maximum Number of Rows Returned criteria, as required.
Step 5 Click Apply.
View a Query Result in the Report Tab
To view a query in the Report tab, follow these steps:
Step 1 At the bottom of the Main Report window, click the radio button next to the report (Activity: All - Top Destinations).
The display similar to the following table appears:
Figure 8-16 Main Report window (bottom)
Step 2 From the drop-down list on the bottom of the Reports page, select either:
•View HTML: to view the report as an HTML file.
•View CSV: to view the report as a CSV (comma-separated values) file.
Step 3 Click the View Report button.
Note The Status column shows the percent completion of the report. You can view a partially-completed report, but it might not contain the data you require. The Status column updates when the page refreshes per the Page Refresh Rate setting on the Query/Reports > Batch Query page.
Note In general, do not use the browser refresh or other browser navigation buttons with the MARS Appliance GUI.
Viewing Events in Real-time
The Real-time Event viewer is a query option on the local controller that permits you to view real-time events as follows:
•View raw events as they stream to MARS before they are sessionized, with a maximum 5-second delay.
•View a sessionized event stream—more delay is possible when there are many events in a session.
The real-time events display as a continuously scrolling screen. You can configure query criteria to filter what is displayed. When viewing raw events, sessionization is not impeded, all the parsed raw events are sessionized per normal MARS operation.
The Real-time Event viewer can only display query-result formats that support ranking by time (Order/Rank field set to Time), these include the following:
•Matched Incident Ranking
•All Matching Sessions
•All Matching Sessions, Custom Columns
•All Matching Events
•All Matching Event Raw Messages
•NAT Connection Report
•MAC Addresses Report
•Unknown Event Report
•Detailed NAC Report
Restrictions for Real-time Event Viewer
The Real-time Event Viewer is available only for Local Controllers.
Real-time event queries should be made only from a browser instance that was used to login to MARS. The real-time query will not have reliable results if it is executed from a browser instance spawned from the original login instance (for example, a new browser window launched with Ctrl+N, File>New>New Window, or right-click {link on MARS GUI}>Open in New Window).
Multiple real-time queries can operate in multiple browser instances at the same time, but you must login to MARS with each browser instance. MARS allocates 1GB of shared buffer for incoming events per query instance. The following restrictions for simultaneous Real-time Event Viewer sessions exist for the specified model:
•MARS 20R and 25R are limited to 1 Event Viewer
•MARS 20 and 25 limited to 2 Event Viewers
•MARS 50 and 55 limited to 3 Event Viewers
•MARS 100, 100e, 200, 110, 110R, and 210 are limited to 5 Event Viewers
Invoke the Real-Time Event Viewer on a Local Controller
To invoke the real-time event viewer, complete the following steps:
Step 1 Navigate to the Query home page as shown in Figure 8-17.
Figure 8-17 Query Home Page
Step 2 Click Edit. The Query edit dialog appears, as shown in Figure 8-18.
Figure 8-18 Configuring Real-Time Event Viewer Query
Step 3 Perform the following substeps:
a. From the Result Format dropdown list, select a format that can be ranked by time.
The formerly grayed-out Real Time radio button becomes clickable.
b. Click the Real Time radio button, and select Raw events or Sessionized Events from the dropdown list.
Only All Matching Events and All Matching Events Raw Messages have the Raw events option.
•All Matching Events with Raw events displays Event ID, Event Type, Source IP/Port, Destination IP/Port, Protocol Time, and Reporting Device fields.
•All Matching Events Raw Messages with Raw events displays Event ID, Event Type, Time, Reporting Device, and Raw Message fields.
•A Result Format with the Sessionized Events option displays Event/Session/Incident ID, Event Type, Source IP/Port, Destination IP/Port, Protocol, Time, Reporting Device, Path/Mitigation, and Tune fields.
c. Click Apply.
The Query Event Data screen appears with the Save as Report and Save as Rule buttons gray and inactive, as shown in Figure 8-19.
Figure 8-19 Real-Time Event Query to Submit
Step 4 Modify the parameters of the Query Event Data filter as you require and click Submit.
Note The Operation, Rule, and Action parameters of the Query Event Data filter do not function for the real-time event viewer.
Real-time results begin to scroll up from the bottom of the page within 5 seconds, as shown in Figure 8-20. Real-time raw events are shown in this example.
Figure 8-20 View of Events in Real-Time
The Real-time event viewer display is governed by the following controls:
•Scroll Speed—Select one of four scrolling rates.
•Scroll Bar—Enables you to scroll up and down in the visible event list.
•Pause button—Suspends the scrolling display.
•Restart button—Restarts the display from the current time. This button appears when you pause the scrolling display.
•Resume button— Restarts the display from the time when paused. This button appears when you pause the scrolling display.
•Clear —Terminates the real-time query.
•Number of Rows—Select the number of rows to be visible in the list. The range is 1-200.
•Set Rows button—Sets the display to the number of rows entered in the Number of Rows field.
Note Clicking Pause, Resume or setting Scroll Speed are GUI actions that do not reset the MARS GUI timeout interval. These actions will not prevent the GUI from timing out.
Step 5 Click the active links within a real-time event record to view the related pop-up windows. For example, the Reporting Device Information pop-up window is shown in Figure 8-21.
Figure 8-21 Reporting Device Information Pop-up Window
Should errors occur during the display of events, a message box appears, as shown in Figure 8-22.
Figure 8-22 Real-time Event Viewer Error Message
Click OK to clear the message box, and restart the Real-time event viewer by clicking Submit.
Tip To view the most recent real-time events, you can click Submit at any time, or Pause and Restart to reinitialize the Real-Time Event Viewer. The most recent events are always at the bottom of the output queue, and their freshness when you view them is limited by the number of events in the queue and the scroll speed of the display.
Reports
Using the Reports page, you can build repeatable queries, edit and delete current reports, run reports, and view reports in either HTML or CSV (comma separated value) format.
Reports can be configured to run automatically on a specified schedule (scheduled reports) or can be run manually like a query (on-demand reports). On-demand reports collect matching data stored in the MARS database for the specified report duration then display the results. A scheduled report continually collects matching data from MARS memory and does not access the MARS database. A scheduled report begins to compile matching data from the time the report is created. It does not match data still in memory but received before the report was created. Scheduled reports have better performance than on-demand reports because they avoid database operations.
Note Because the data collection for scheduled reports starts when the report is created, a user-configured scheduled report may not return complete results if it is requesting data received by MARS before the scheduled report was created.
This section contains the following topics:
•Global Controller Reports
•Local Controller Reports
•Report Type Views: Total vs. Peak vs. Recent
•Report Charts and Graphs
•Report Creation
•Operations on Existing Reports
Global Controller Reports
Reports performed at the Global Controller level are similar to those on an Local Controller, but also include the Zone Collapsing parameter. You can run a report across one or more Local Controllers by specifying their zones. This enables a report at the Global Controller to select zone-specific objects.
When you submit a report from the Global Controller, the report request is sent to the Local Controllers monitored by that Global Controller. Each Local Controller generates the report and sends summary data back to the Global Controller, which merges the results at the global level. The merged report is sent to any recipients, as defined by the report definition on the Global Controller.
Local Controller Reports
Predefined System Reports are treated as global reports. Global Controller receives report data once its connected to the Local Controller. Previous report results (prior to managing the Local Controller) will not be pushed up to Global Controller. Thus viewing of reports will not include the information before the Local Controller becomes active.
Report Type Views: Total vs. Peak vs. Recent
Whereas alerts provide up-to-the-minute views of high-priority incidents, reports aggregate sessions into different views. Reports correlate three factors:
•Period of time—defines boundaries around the analyzed session data based on when it was recorded.
•Query criteria—restrict the set of sessions that will be aggregated to that which matches your criteria. Criteria can include source address, destination address, network service, event, reported user, and reporting device.
•View type—defines how to aggregate the matched data into a meaningful report view—one that matches the type of study in which you are interested.
Note In each view type, you can refine the report criteria to filter out expected activity—the data you know about. You can filter this activity by refining the query criteria. These criteria should be tuned to a specific network. Reports can be valuable in detecting behaviors beyond the normal traffic flows of your network. You can determine the expected activities using reports that are not filtered and vetting those results against normal network use.
MARS provides three view types, each of which restricts the matched sessions to a user-defined limit of N. The following view types exist:
•Total View. For each result type matching the query criteria, this view counts the occurrences of that result type that transpire during the specified time period. It presents the total count of the top N matched result types, ranked by number of sessions, as determined by which ones occurred most frequently over the period of time. You can use these reports to determine your network's condition relative to the studied sessions. For example, you can use this view to identify attacks that launched at frequent intervals. This view does not present spikes in network activity; it simply presents the top occurring result types.
Note CSV. Generates the Total View but presents the report in the CSV format for processing by another tool or script. This option is intended for use with e-mail notifications where post-processing is required.
•Peak View. Within MARS, all report result data is stored in 10-minute time slices. The Peak View studies each of the 10-minute time slices within the specified time period to which one contained the highest number of matched sessions for a specific result type. It also determines an additional nine peaks within the time period, where each peak identifies a unique result type relative to the other peaks.
Each peak value is charted relative to the other nine peaks. For each time slice containing a peak value, the Peak View lists the top N matched result types that occurred. It is possible to have multiple peaks within the same time slice, as it is the result type, not the time slice, that must be unique across peaks.
Note To be detected within this view, the result type must peak above normal traffic. Therefore, you must tune the query data to filter out expected traffic.
Unlike the Total View, the Peak View does not focus on the overall top occurring results, instead it identifies a high volume of traffic over a short time period. Its purpose is to detect temporary bursts of traffic on your network that overshadow normal traffic usage. These bursts identify possible issues, such as worm outbreaks.
•Recent View. This view is similar to Total View; however, it identifies the top N result types that occurred within the past hour. It then plots all occurrences of those result types over the selected time period.
Report Charts and Graphs
The three types of charts are:
•Bar Chart. Summary of the top sessions and the count.
•Pie Chart.
•Graphs: Events/Time.
Note Peak values in the past are not displayed unless they fall into the current top ten results. Also, not every item in a particular time slice's top ten is charted.
Note The charts presented as part of reports highlight up to the 10 most significant items. In cases where fewer than 10 items are significant, the
Report Creation
You can create a report through the Query page, or you can create a report from scratch on the Reports page. This section details creating Local Controller and Global Controller reports from the Reports page, but is applicable to editing reports and to creating reports from the Query page.
This section contains the following topics:
•Create a New Local Controller Report
•Create a New Global Controller Report
Create a New Local Controller Report
Step 1 On the Reports page, click Add.
Step 2 In the Report Name and Report Description fields, enter a report name and description. Click Next.
Step 3 Select the schedule parameters for the report.
Step 4 Select a View Type for the report. You can receive these reports in your email or view them in the UI. Your choices are: Total View, Peak View, Recent View, and CSV (see Report Type Views: Total vs. Peak vs. Recent). Click the Next button.
Step 5 Select users in the Recipients Available field by expanding the user groups, clicking users or user groups, and clicking the Add button. See Green-field, Multi-box Deployment, page 1-6 for more information.
Step 6 Repeat, as required, for other users. Click the Next button.
Step 7 Build or modify the query. To edit the query time range, either click the Report type link or click the Edit button. See Result Format for information on query parameters; see Query Criteria Descriptions for more information on building queries. Click Apply to save your changes; click Next when the query is complete.
Step 8 Click Submit to save your report.
Create a New Global Controller Report
Step 1 On the Reports page, click Add.
Step 2 In the Report Name and Report Description fields, enter a report name and description. Click Next.
Step 3 Select the schedule parameters for the report.
Step 4 Select a format for the report's output. Under View Type and Zone Collapsing, select one of the following:
•Total View/Sum Zones—This view displays the summed total of the top N results over the specified time range.
•Total View/List Zones—This view displays the total, grouped by zone, of the top N results over the specified time range.
•Peak View/Sum Zones—This view finds the top ten largest results in the time range, and displays the top ten results for the times when those peaks occurred.
•Peak View/List Zones—This view finds the top ten largest results in the time range, groups them by zone, and displays the top ten results for the times when those peaks occurred.
•Recent View/Sum Zones—This view finds the top N results from the past hour, and displays them versus their summed totals over the specified time range.
•Recent View/List Zones—This view finds the top N results from the past hour, groups them by zone, and displays them versus their summed totals over the specified time range.
•CSV/Sum Zones—This view displays the summed total of the top N results as a comma-separated values file. (See Report Type Views: Total vs. Peak vs. Recent).
•CSV/List Zones—This view displays the summed total of the top N results, grouped by zone, as a comma-separated values file. (See Report Type Views: Total vs. Peak vs. Recent).
Step 5 Click Next.
Step 6 Select users in the Recipients Available field by expanding the user groups, clicking users or user groups, and then clicking Add. See Green-field, Multi-box Deployment, page 1-6 for more information.
Step 7 Repeat Step 6 for other users.
Step 8 Click Next.
Step 9 Build or modify the query. To edit the query time range, either click the Report type link or click Edit.
Step 10 Click Apply to save your changes; click Next when the query is complete.
Step 11 Click Submit to save your report.
Operations on Existing Reports
This section details operations you perform on existing reports.
This section contains the following topics:
•View a Report
•Run a Report
•Delete a Report
•Edit a Report
•Duplicate a Report
View a Report
You can use this procedure to view the results of regularly scheduled reports.
Step 1 Click the radio button next to the report.
Step 2 From the drop-down list on the bottom of the page, select either:
•View HTML: to view the report as an HTML file.
•View CSV: to view the report as a CSV file.
Step 3 Click the View Report button.
Note If you chose to view the report as a CSV file, you need to save the file to your computer and open the CSV file in a third-party application.
Run a Report
You can use this procedure to override the defined schedule and cause a report to run immediately.
Step 1 Click the radio button next to the report.
Step 2 Click the Resubmit button.
Note Due to caching issues, reports with a time range of less than one hour are not recommended.
Tip To see the results, click View Report
Delete a Report
Step 1 Click the radio button next to the report.
Step 2 Click the Delete button to delete the report.
Step 3 On the Delete Confirmation page, click Delete.
Edit a Report
You can not edit system generated reports. Editing report criteria is meant for minor tweaking to a previously generated report.
Note See the Duplicate a Report procedure for a method to clone and then edit an existing report.
Step 1 Click the radio button next to the report.
Step 2 Click the Edit button to edit the report.
Step 3 Navigate using the Previous and Next buttons, or clicking on the report criteria.
Figure 8-23 Navigating to the Recipients column by clicking its criteria
Step 4 Edit the report, and click the Apply button to apply changes to the report.
Step 5 Click the Submit button to finalize the report.
Note Changing the report's query criteria will not re-generate a new result. New edited criteria is based on the previously generated report. In some situation such as filtering out specific IP source, user should create a new report.
Note Email notification of a global generated report will be sent from the Global Controller and not the Local Controller.
Duplicate a Report
You can duplicate or "clone" any report as a template for a new report. After you have duplicated and saved an existing report specification, you can edit the new report's specification as you require. Often, this approach is a more effective way to establish a new report than building it from scratch.
Step 1 Click the radio button next to the report.
Step 2 Click Duplicate to duplicate the report.
The duplicated report appears in the list of reports. To the report name is appended: "copied: [yy.mm.dd/hh.mm/ss]".
Step 3 Edit and save (or run) the report, as required. (See Edit a Report for details.)
