Maintain and Monitor Cisco Cyber Vision

Monitored presets

To monitor your network using Cisco Cyber Vision Center, you must set up monitored presets. A monitored preset is any preset that is monitored against a baseline.

To view the presets in your Center, from the main menu, choose Explore. Click a preset to view the network data that matches the preset definition. You can also export the data as a PDF file.

Presets

A preset is a customizable view that allow you to focus on specific subsets of network data. A preset filters network data based on defined criteria and gives you a focused view of an organizational network for quick, meaningful analysis.

The parameters that you can configure for a preset include:

  • Time

  • Risk score range

  • Networks, by IP subnets or VLAN IDs

  • Device tags

  • Activity tags

  • Groups

  • Sensors

Baseline

A baseline is a snapshot of a preset. It is the reference point against which network behavior is periodically compared to detect network deviations or anomalies by identifying changes such as new devices, altered communications, or unusual activities that may indicate security issues or operational problems.

Multiple baselines for a preset

You can create multiple baselines for a preset to monitor in various known states of your network.

For example, network activity baselines may differ for weekdays and weekends. Create two baselines for these scenarios, and activate the baseline that would be an accurate monitor for your network on any given day.

To activate one of multiple baselines for a monitored preset, see Configure monitored presets

Default presets

Some presets categories are available by default. You can make changes to the default presets and save the modified settings as new copies, but you cannot modify the default presets.

Table 1. Default presets available in Cisco Cyber Vision Center

Preset category

Presets available

Basics

  • All data

  • Essential data

  • Active Discovery activities

Asset management

  • OT devices

  • IT devices

  • IT infrastructure devices

  • All Microsoft Windows systems

  • All controllers

Control systems management

  • OT activities

  • Control system activities

  • Process control activities

IT communication management

  • IT activities

  • Web activities

  • Email activities

  • File activities

  • Microsoft activities

Security

  • DNS activities

  • Remote procedure call activities

  • Remote access

  • Insecure activities

  • Encrypted activities

  • Authentication activities

Network management

  • IT infrastructure activities

  • IT technical activities

  • IPv6 communications

  • Multicast traffic only

  • Broadcast traffic only

Create categories

The Explore page contains many default categories, including one named My preset in which you can place any preset that you create. You can create more categories to better organize your presets.

Procedure

Step 1

From the main menu, choose Explore.

Step 2

Click New Category.

Step 3

Enter a name for the category.

Step 4

(Optional) Select the presets you want to place in this category.

Step 5

Click Create.

What to do next

After you create a category, you can add a preset to the category at any time. To add a preset to a category:

  1. Click the edit button for the category.

  2. In the Presets field, select the preset you want to add to the category.

Create presets

Procedure

Step 1

From the main menu, choose Explore.

Step 2

Click New Preset.

Step 3

To create a preset:

  1. Enter a name for the preset.

  2. (Optional) Enter a description for the preset.

  3. Choose a category to place your preset in.

  4. Click Create.

Step 4

Select the newly created preset from the Explore page.

Step 5

In the left pane, define each criteria category. For each criteria parameter:

  • Click the check box once to include the parameter
  • Click the check box twice to exclude the parameter

Step 6

Click Save.

What to do next

After you create a preset, you can edit it at any time and update any criteria setting. These criteria settings management options are also available to you in the Criteria section of a preset:

  • Select all: Include all the criteria parameters available in your Center.

  • Reject all: Exclude all the criteria parameters available in your Center.

  • Default: Reset all the selections such that no parameter is included or excluded.

Create baselines

Procedure

Step 1

From the main menu, choose Explore.

Step 2

To create a baseline, you can create a baseline from a preset icon () from two paths:

  • The preset dashlet listed on the Explore page.
  • The preset details page that is displayed when you click a preset dashlet.

Step 3

Enter a name and description for the preset.

Step 4

Click Create.

To view the newly created baseline, from the main menu, choose Monitor. All the baselines that are available in your Center are displayed in this page, categorized by the preset for which they were created.

Configure monitored presets

Before you begin

A monitored preset is a preset with a baseline. See Create baselines.

In this task, you:

  • Define the interval for checking the network against a monitored preset

  • Choose the type of event differences you want to view alerts for

Any differences in the selected baseline and the current network status result in alerts that can review and acknowledge.

Procedure

Step 1

From the main menu, choose Monitor.

Step 2

For the monitored presets you want to configure, click the vertical ellipsis icon and choose Monitored preset settings.

Step 3

For the monitored preset:

  1. Enter a monitoring interval, in seconds.

  2. If you have created more than one baseline for the preset, in the Monitored baseline field, choose the preset you want to activate.

  3. In the Events severity section, choose the severity level for the alerts generated for each event type.

  4. In the Advanced settings section, choose the component, property, and activity differences for which you want to view alerts.

  5. Click OK.

Manage monitored preset differences

This task guides you through acknowledging or reporting a single difference entry.

  • To mark a reported event as normal for the network, acknowledge the entry.

  • To identify a reported event as an anomaly and create an event in Cisco Cyber Vision Center, report the entry.

After you select a baseline in the Monitor page, you have two bulk management options:

  • To acknowledge all differences across the components and activities, click the blue tick icon in the left pane

  • To acknowledge or report multiple, specific differences in the components or activities listings, select the entries and click Acknowledge Selection or Report Selection.

Procedure

Step 1

From the main menu, choose Monitor.

Step 2

In the What changed area, for a monitored preset, click the baseline you want to examine.

Step 3

You can view the differences reported based on:

  • New components
  • New activities

Step 4

To view the communication flows that may have caused the reported difference, click Investigate with flows.

Step 5

In the components list, click an entry to view the details. You can choose from four options:

Action Definition
Acknowledge Component You can enter a message explaining your choice for reference. You have two acknowledgement options:

  • Acknowledge and include: Retain this alert and receive new alerts if something new happens with this component or activity.

  • Acknowledge and keep warning: Delete this alert and receive new alerts if the same event repeats.

Ack. with related activities

You can enter a message explaining your choice for reference.

Click Acknowledge and include to retain the alert and receive alerts for any new events for the component and its activities.

Report component You must enter a message explaining your choice for reference. You continue to receive alerts if the anomaly is detected again.

Click Report component to create an event report for this anomaly.

Show details View device tags and properties.

Step 6

In the activities list, click an entry to view the details. You can choose from three options:

Action Definition
Acknowledge activity Acknowledge the reported event as normal for the network. You can enter a message explaining your choice for reference. Two acknowledgement options are available to you:

  • Acknowledge and include: Retain this alert and receive alerts if something new happens with this component or activity.

  • Acknowledge and keep warning: Delete this alert and receive a new alert if the same event repeats.

Report activity You must enter a message explaining your choice for reference. You continue to receive alerts if the anomaly is detected again.

Click Report activity to create an event report for this anomaly.

Show details View activity tags and variables.

Center Shutdown/Reboot

You can trigger a safe shutdown and reboot of the Center.

Use Reboot to fix a minor bug, such as a system overload.

To access the Center shutdown/reboot page, choose Admin > System from the main menu.

Upgrade with a Combined Update File

Version releases include a Cisco Cyber Vision Manual Update Center update file. To access this file, choose Admin > System from the main menu.


Important
Rolling back to an older Cisco Cyber Version version is not supported.

Requirements

  • A combined update to retrieve from cisco.com.

Use the SHA512 checksum provided by Cisco to verify that the file you just downloaded is healthy.

Windows users:

Procedure

Step 1

Retrieve the Cisco Cyber Vision combined update from cisco.com.

Step 2

Open a shell prompt such as Windows Powershell and use the following command to retrieve the file checksum:

Get-FileHash .\CiscoCyberVision-<TYPE>-<VERSION>.<EXT> -Algorithm SHA512 | Format-List

Step 3

In cisco.com, hover over the file and copy the SHA512 checksum.

Step 4

Compare both checksums.

  • If both checksums are identical, the file is healthy.

  • If the checksums do not match, download the file again.

  • If the checksums still don’t match, please contact Cisco support.

To update the Center and all applicable sensors:

Step 5

Log in to Cisco Cyber Vision.

Step 6

From the main meu, choose Admin > System.

Step 7

Click System update.

Step 8

Select the update file CiscoCyberVision-update-combined-<VERSION>.dat

Step 9

Confirm the update.

As the Center and sensors update, a holding page appears. When done, click Center Reboot. You will be logged out.

Step 10

Log in.

If sensors were offline when the update occurred, repeat the procedure until all sensors update.

Syslog configurations

A syslog configuration is a network logging setup that

  • forwards Cyber Vision events and alerts to an external syslog server,

  • enables integration with Security Information and Event Management (SIEM) platforms, and

  • supports Common Event Format (CEF) for standardized message structure.

Table 2. Feature History Table

Feature

Release Information

Feature Description

Non-CEF syslogs support removed

Release 5.3.x

You can no longer use non-CEF syslog formats with Cyber Vision Center.

When you upgrade to Cisco Cyber Vision Center Release 5.3.x, any existing syslog connections that use non-CEF formats are automatically updated to CEF formats.

Configure syslog

Enable forwarding of Cyber Vision events and alerts to an external syslog server to integrate with a Security Information and Event Management (SIEM) system.

To configure syslog, follow these steps:

Before you begin

  • Ensure you have administrator access to Cyber Vision Center.

  • Confirm that the external syslog server is accessible. Obtain the host IP address, port, and the required protocol.

  • If secure communication is required, ensure you have the P12 certificate from your SIEM administrator.

  • Recent syslog format changes:

    • Standard and RFC3164 formats are deprecated.

    • Standard/CEF is now named CEF.

    • RFC3164/CEF is now named CEF Extended Time Precision.


    Note

    If the deployment had Standard or RFC3164 formats configured, version 5.3.x setup migrates the configuration to CEF.

Procedure

Step 1

From the main menu, choose Admin > System.

Step 2

Click Configure in the Syslog configuration menu.

Step 3

Select Protocol.

Note

 

If secure communication is required, select TCP + TLS and import the P12 certificate.

Step 4

Enter the syslog server Host IP address and Port that are accessible from Cyber Vision Center.

Step 5

Select the required Format.

  • CEF: This format, based on the Common Event Format (CEF) standard, sends events with second-precision timestamps.

  • CEF Extended Time Precision: This format, based on the Common Event Format (CEF) and an extended syslog header, sends events with millisecond-precision timestamps.

Step 6

Save the configuration.

Cyber Vision Center sends events from the Classic UI to syslog with 'Version Number = 1.0.' It sends alerts from the New UI to syslog with 'Version Number = 2.0.

What to do next

To configure notifications for specific alert types, see Enable or disable syslog notifications for alert types

To export events using syslog, see "Configure event export to syslog (Classic UI)" in the "Cisco Cyber Vision Syslog Notification Format Configuration Guide".

Import/Export

Use the System interface to import and export the Cisco Cyber Vision database. To access the Import/Export page, choose Admin > System from the main menu.

Regularly export the database to back up the industrial network data on Cisco Cyber Vision or if you need to transfer the database to a different Center.

Exports database file limitation is up to 2 GB of data. This avoids side effects related to slow database exports. If the database is larger than 2 GB, you get an error message. In this case, connect to the Center using SSH and perform a data dump. Use the command: sbs-db dump.

Network data, events, and users are retained, as well as all customizations (e.g., groups, component names).

Only configurations created in Cisco Cyber Vision's GUI persist. If you change Center, perform a basic configuration of the Center and then configure Cisco Cyber Vision again. Refer to the corresponding Center Installation Guide.


Note
The Import process may take one hour for big databases. Refresh the page to check that the import remains active (i.e., no error message).

Knowledge DB

Cisco Cyber Vision uses an internal database which contains a list of recognized vulnerabilities, icons, and threats.


Important
To remain protected against vulnerabilities, always update the Knowledge DB in Cisco Cyber Vision as soon as possible after notification of a new version.

To update the Knowledge DB:

Procedure

Step 1

Download the latest.db file available from cisco.com.

Step 2

From the main menu, choose Admin > System.

Step 3

Click Import a Knowledge DB under the Knowledge DB field.

Step 4

Select the file and click Open to upload the file.

Importing the new database rematches your existing components against any new vulnerabilities and updates the network data.

Certificate fingerprint

A certificate fingerprint is a unique identifier that

  • verifies the authenticity of a Center digital certificate in Cyber Vision,

  • enables secure enrollment and communication between Global Centers and synchronized Centers, and

  • must be updated after certificate renewal to maintain trusted connectivity.

A Center fingerprint can be retrieved in Cyber Vision from Admin > System in the main menu. Select the copy icon to save the fingerprint. Paste the fingerprint during enrollment or when updating after certificate renewal.

Additional reference information

After renewal (certificates expire every two years), update all enrolled Centers with the new fingerprint. This updates their enrollment status to "Enrolled" and their connectivity status to "Connected".

For more information, see the Centers Installation Guides.

Example

If you renew a certificate for a Global Center, you must copy the new fingerprint from the Global Center and update it in all synchronized Centers to maintain secure communication.

Cisco Cyber Vision Telemetry

Telemetry monitors your system to provide anonymous diagnostics and usage data, helps us to understand and enhance product usage. Cisco Cyber Vision telemetry data communication occurs as HTTPS traffic through Port 443 with https://connectdna.cisco.com/.

Telemetry is enabled by default. To disable this feature, follow these steps:

Procedure

Step 1

From the main menu, choose Admin > System.

Step 2

To disable telemetry, click the ON toggle button under the Telemetry Collection field.

The switch turns OFF.

Reset to Factory Defaults

Only use Reset to Factory Defaults as a last resort, after all other troubleshooting attempts fail. Get help from product support.

To access the Reset, choose Admin > System from the main menu.

A Reset to Factory Defaults deletes the following:

  • Some Center configuration data elements.

  • The GUI configuration (such as user accounts, the setup of event severities, etc.).

  • Data collected by the sensors.

  • The configuration of all known sensors (such as IP addresses, capture modes, etc.).

Root password, certificates and configurations from the Basic Center configuration persist.

After a Reset to Factory Defaults occurs, the GUI refreshes with the installation wizard. See the corresponding Center Installation Guide.

Snort

A Snort instance is a network intrusion detection system (NIDS) that

  • analyzes network traffic for malicious activity using a rule matching engine,

  • applies a set of rules that characterize potentially harmful network activity, and

  • integrates with Cisco Cyber Vision to provide real-time intrusion detection alerts and management.

Table 3. Feature History Table

Feature

Release Information

Feature Description

Enable or disable Snort on a Center DPI interface

Release 5.3.x

You can enable or disable Snort IDS or IPS on a Cisco Cyber Vision Center DPI interface. Previously, Snort was always enabled by default and could not be changed.

Additional reference information

  • Cisco Cyber Vision can run the Snort engine on the Center and compatible sensors. The Center manages rule configuration and distribution. It also intercepts alerts for display in the GUI.

  • Snort is disabled by default on sensors. To enable it, activate features of the Intrusion Detection System (IDS). See Enable IDS on a sensor.

  • On the Center’s Deep Packet Inspection (DPI), Snort is enabled by default.

  • Snort is available on the following Cisco devices:

    • Cisco IC3000 Industrial Compute Gateway

    • Cisco Catalyst 9300 Series Switches

    • Cisco IR8340 Integrated Services Router Rugged

    • It is also available by default on the Center DPI.

Snort rulesets and rule categories

The Snort rules are organized into two main rulesets: the Community ruleset and the Subscriber ruleset.

Community ruleset

  • Distributed freely and certified by Talos, including rules contributed by the open source community and integrators.

  • Represents a subset of the full ruleset available to subscribers.

  • Does not include the most recent Snort rules and does not guarantee coverage against the latest threats.

Subscriber ruleset

  • Contains all rules released by the Talos Security Intelligence and Research Team.

  • Provides rapid access to the newest rules and early coverage of exploits and vulnerabilities.

  • Remains aligned with ongoing Talos research for maximum detection capability.

  • Requires Advantage licensing and an IDS sensor license for each enabled sensor.

Snort rules are organized into categories, each targeting a specific threat type or platform.

Table 4. Rule categories

Category

Description

Browser

Detects vulnerabilities in major browsers (e.g., Chrome, Firefox, Internet Explorer) and browser plugins such as ActiveX.

Deleted

Contains deprecated or replaced rules.

Experimental–DoS

Rules targeting Denial of Service (DoS) activities such as TCP SYN flooding or DNS/HTTP flooding.

Experimental–Scada

Detects attacks on industrial control system assets.

Exploit–Kit

Tailored to identify exploit kit activities.

File

Addresses vulnerabilities in various file types (executables, Microsoft Office, images, Java, PDF, etc.).

Malware–Backdoor

Identifies traffic to known backdoor command channels.

Malware–CNC

Detects botnet command and control activity (call home, data exfiltration, download of dropped files).

Malware–Other

Covers other malicious tools or miscellaneous malware activity.

Misc

Rules address protocol-specific threats, policy violations such as spam and unwanted applications, and indicators not categorized elsewhere.

OS–Other

Looks for vulnerabilities in various operating systems (Linux, mobile OS, Solaris, etc.).

OS–Windows

Targets vulnerabilities in Windows operating systems.

Server–Other

Deals with vulnerabilities in multiple server types (web servers, database servers, mail servers, etc.).

Server–Webapp

Pertains to attacks against server-based web applications.

Snort rules management features

The Snort rules management system in Cisco Cyber Vision Center includes these features:

Table 5. Snort rules management

Feature

Description

Snort community rules

Snort community rules are set by default in the Cyber Vision Center.

Subscriber rules

Click Use Subscriber Rules from the Admin > Snort page to enable snort subscriber rules (requires Advantage and intrusion detection system (IDS) sensor licenses).

Category-based management

Enable or disable entire rule categories via the GUI.

Direct rule file download

Download rule files per category from the interface.

Individual rule control

Enable or disable specific rules within categories, independent of category status.

In the downloaded rule files, locate the rule and get the sid (signature id). Go to Admin > Snort and enter it in the Rule sid and click Disable or Enable.

Custom rule import

Import and manage user-created rules via the IMPORT CUSTOM RULES FILE function from the Admin > Snort page.

Rule synchronization

Apply synchronized rule sets to sensors using the Synchronize rules on sensors feature from the Admin > Snort page.

Reset to default

Click RESET TO DEFAULT from the Admin > Snort page to restore the entire rule configuration to factory defaults and remove all custom rule files.

Enable IDS on a sensor

Enable Intrusion Detection System (IDS) on a compatible Cisco sensor to activate Snort-based intrusion detection.

Use this task to activate Snort’s intrusion detection capabilities on a supported Cisco sensor for network security monitoring.

Before you begin

Ensure your sensor is one of these compatible devices:

  • Cisco IC3000 Industrial Compute Gateway

  • Cisco Catalyst 9300 Series Switch

  • Cisco IR8340 Integrated Services Router Rugged

  • Center DPI Interface

Procedure

Step 1

From the main menu, choose Admin > Sensors > Sensor Explorer.

Step 2

Select the sensor you want to enable IDS on.

Step 3

Click Enable IDS.

IDS is now active on the selected sensor. Snort will now monitor network traffic for threats.

What to do next

If required, you can disable Snort’s intrusion detection capabilities. To do this, select the sensor and click Disable IDS.

Risk Score

The Risk score page allows you to set up the time range used for risk score computation. To access the Risk score page, choose Admin > Risk score from the main menu. Computation occurs every hour but considers only the activities within the configured time period.

You can select a time range of 30 days (by default), 7 days, or set a custom one with a minimum of one day

For more information about risk scores, see the Risk Score Concept.

Extensions

From this page, you can manage Cisco Cyber Vision extensions. Extensions are optional add-ons to the Center which provide more features, such as the management of new device types, additional detection engines, or integrations with external services. To access the Extensions page, choose Admin > Extensions from the main menu.

Currently, there are two extensions available:

  • Cyber Vision sensor management

    For more information about this extension and how to use it, see the Sensors.

  • Cyber Vision Reports Management

    For more information about this extension and how to use it, see the Reports.

To install an extension, retrieve the extension file on cisco.com and click Import a new extension file to import.