The dashboard is the view by default when opening a preset. It gives you an overview of the preset's global risk score, number of devices, activities, vulnerabilities, events, variables and credentials.

The dashboard is also a tag-oriented view. It's an overview of all tags found -independently of the ones set as criteria- with the number of devices and activities found per tag.

Example: For the purpose of the whole example given below, we access the All data preset, select the Controller tag as criteria (under Device - Level 2), and save the selection as "Example: Controller tag".

Devices per tag: The number in brackets indicates there are 7 devices tagged as Controller (1). On the dashboard, you see this result accordingly (2). One device is tagged as Web Server (3). This means that one of the Controller is a Web Server. Following this logic, we can say that five of the Controllers are Rockwell Automation devices.

If you want to know more about one of these devices, switch to the device list view and reach them using the filter available in the tags column.

Activities per tag: As for activities, there is no activity tags set as criteria in the example below (4). Yet, you can see that many activities have been found (5). This is because the dashboard view collects all activities involved with the Controller devices found.

If you want to know more about one of these activities, switch to the activity list view and reach them using the filter available in the tags column.

The device and activity lists are two specialized and oriented views. Even though they are legated and share a large number of data, devices and activities are split in two different views to facilitate comprehension and visualization of data.

These views provide general information and advanced technical data about each element found in the preset. Check at the differences between the device and activity views.

The All Controllers preset in the device list view:

The All Controllers preset in the activity list view:

Lists are meant to perform an in-depth exploration of the network. Using this type of view is especially convenient when searching for a very specific data. To do so, different filters are available inside the lists to sort data:

• The sort icon (1) is to sort data by alphabetical order or by ascending/descending order.

• The filter icon (2) opens a field to type a specific data in, or a multiple choice menu (3) to filter tags.

Clicking an element in the lists opens its right side panel which leads to more advanced data.

The Map is a visual representation of data of the industrial network that gives you a broad insight on how devices and components are interconnected. It's a good input to get to know how the network is structured. You can start organizing components in a way that makes sense to you by creating groups.

Maps display devices, components and activities according to criteria set in a preset. Grayed out devices and components are displayed because, even if they don't correspond to the preset's criteria, they are necessary to represent the activities of the preset.

Note

The map is self-organizing, that is, elements are redistributed as devices, components, conduits and activities appear or disappear, and as groups are created or deleted. Moreover, the map automatically adapts over time and when changing preset. This way, it is guaranteed that the map is always well organized and components never overlap.

By default, activities between groups are merged and displayed as conduits (A). You can tick the option "Show network activities" to see activities, which gives a more detailed view (B). Elements are here also automatically reorganized in the map to enhance visibility.

The vulnerability dashboard gives you a visual representation and a list of the vulnerabilities detected within a preset.

Important

It is important to update the Knowledge DB in Cisco Cyber Vision as soon as possible after notification of a new version to be protected against vulnerabilities.

The pie chart presents the 10 most matched vulnerabilities within the preset, that is, the vulnerabilities that have affected more devices. You can click the number of devices detected to see the devices affected.

On the right, you'll see a summary of the total number of devices that are vulnerable in the preset selected.

Below, you have a list of all the vulnerabilities found in the preset with sort icons to sort data by alphabetical order or by ascending/descending order, and filter icons which opens a field to type a specific data.

For each vulnerability, the following data are displayed in columns:

• The vulnerability name

• Its CVE ID (world unique identifier for a Common Vulnerability Exposure)

• Its CVSS score (Common Vulnerability Scoring System)

• The devices affected by the vulnerability

Clicking an element in the lists opens its right side panel which leads to more details about the vulnerability, including its link to the National Vulnerability Database.

Security Insights is a view that provides statistics for DNS requests, HTTP requests, SMB Tree names and flows with no tag.

For each category, you will find the most frequent and rarest requests, and the list of all these requests.

Flows with no tag:

In this category, you will find a list of all flows with no tags, that is, traffic that Cisco Cyber Vision wasn't able to analyze. The reason can be that the protocol is not supported by Cisco Cyber Vision yet. However, this list is interesting from a security standpoint to make sure if such content is really supposed to be on the network and search why it cannot be inspected. A good starting point is to check flows with higher number of packets.

This map displays the assets of a preset according to the Purdue model architecture. Components are distributed among the layers by considering their tags. The Purdue Model view doesn't undergo any aggregation and is self-organizing.

Assets of the preset All Controllers distributed among the layers of the Purdue model:

Components are distributed according to the different layers of the Purdue model:

• Level 0-1: Process and basic control (IO Modules).

• Level 2: Area supervisory control (PLCs, SCADA stations).

• Level 3-4: Manufacturing zone and DMZ (all others).

A technical sheet is an interactive and complete view of all information related to a device, a component, an activity or a flow. The views differ depending on the type of element consulted.

A device's technical sheet:

A technical sheet is composed of a top bar and of a list of tabs. The higher part (1) recaps the information found in the right side panel. The rectangular buttons on the right redirect to the corresponding information inside the technical sheet. In a device or a component's technical sheet, you can also edit the element's name, add/remove it to/from a group and add custom properties.

The lower part (2) contains detailed information classified under tabs, displaying or not according to the element you're on:

• Basics contains an element's properties and tags that are categorized with their definition. Device's components also appear if applicable.

• Risk score with an overview and a more detailed and focused views.

• Security contains a component's vulnerabilities you can acknowledge and credentials.

• Activity is about an activity's flows and contains a Mini Map which is a view that is restricted to a device or a component and its activities.

• Automation contains variable accesses.

You can access technical sheets through a device, component or an activity's right side panel, clicking the technical sheet button. A flow's technical sheet is visible when clicking on a particular flow.

• More information about properties.

• More information about tags.

• More information about the risk score.

• More information about vulnerabilities.

• More information about credentials.

• More information about flows.

• More information about the Mini Map.

• More information about variables accesses.

Acknowledge in the Monitor mode

"Acknowledge" is an action to be used to indicate that determined behaviors -or differences- are safe and normal. In fact, by doing this action, the difference will be included in the baseline. You can acknowledge differences on any element of the Monitor mode: tags, properties, variable accesses, components, activities and baselines.

Acknowledge a component or an activity

Acknowledge will display as such if the behavior is notified as changed. However, if the behavior concerning a component or an activity is notified as new, an additional action is required when clicking the button "Acknowledge" because a distinction has to be made according to whether the behavior in question is exceptional or part of an iterative process.

• Acknowledge & Include

  This action is to be used for a behavior which is part of a normal process and is meant to happen regularly over time. By using this button, the behavior will be included into the current baseline. If later the component or the activity changes -because for example a new tag has been detected on them- you will be alerted through the Monitor mode: it will turn to "changed" and appear hyphenated and red. This action is useful to refine a baseline as it evolves over time.

  Ex: You can perform this action on a new machine installed in the network, or a new activity due to a new supported protocol.

• Acknowledge & Keep Warning

  This action is to be used when a behavior is punctual and not part of a process. In this case, such behavior must not be considered as abnormal but rather as an unusual one, which doesn't have a bad impact on the network. By using this button, the behavior will be acknowledged and so cleared, but will not be included into the baseline. Consequently, you'll be notified if it happens again as a new behavior in the monitored baseline.

  Ex: You can perform this action on a new component and a new activity due to an exceptional maintenance act.

This action is to be applied on a difference you consider to be an anomaly, that is, a behavior that is abnormal and may compromise the operating capability and security of the network. However, before reporting the anomaly, the first thing to do is to investigate, and, if possible, to resolve it. In any case, when reporting an anomaly, you must fill in a message of incident response or acknowledgment (in which context the incident has happened, potential threats, or how it has been fixed). Once an anomaly is reported, it is cleared and not included in the baseline, and an event is generated with a default severity level higher than the acknowledge action. You will be alerted in the Monitor mode if the incident occurs again.

This action will remove the component or activity from the current baseline. This is to be used when you consider an element should not appear in a baseline, or you don't want to see it anymore. However, you will be alerted if the component or activity comes back, and the difference will appear as new. This action is also available on variable accesses through Individual acknowledgment.

Note	If a difference keeps coming back in a baseline and you don't want to see it, you should modify the preset instead.

Individual acknowledgment is an advanced usage of Cisco Cyber Vision. This feature is available on changed components and activities, that is, on elements already included in a baseline. It allows you to access their details to perform a deep behavior review by acknowledging and reporting one by one the differences detected on the network. Thus, individual acknowledgment is available on components' properties and tags, and on activities' tags and variable accesses.

• Component properties

  New and changed properties display in red. Concerning changed properties, the former one is crossed out and the new one displays next to it. They will always display in red, unless you acknowledge them.

• Component and activity tags

  New and changed tags display in red. They will be cleared as you acknowledge or report them (i.e. they are no longer displayed in red).

• Activity variable accesses

  New and changed variable accesses display in red. A variable access can be acknowledged, reported, and, in addition to other elements, deleted (i.e. button "Remove and keep warning"). Deleting a variable access is to be used when you consider that it should not be part of the current baseline and you don't want to see it. It will be removed from the baseline and disappear. If, however, the variable access happens again, you will be alerted and it will display in red.

Once all component or activity's elements are reviewed (i.e. acknowledged, reported, or removed), the entity they belong to is cleared (the component or activity itself is no longer displayed in red). Any action performed in the Monitor mode will appear in the Event page.

This button is not an action but an option to get more information and context about the differences detected on the network. In fact, each difference found, since it belongs to a component or an activity, is related to a flow. This view allows you to perform forensic analysis and may give you some clues to understand what happened.

Ex: You can search from which flow exactly a tag comes from.

A basic use case in Cisco Cyber Vision is to detect if and when a new equipment connects to the industrial network being monitored. However, the first thing to do when using Cisco Cyber Vision is to organize components in an intelligible way. In this use case, we choose to organize components according to the network's topology, that is, per production chain. In fact, a network can be divided into several areas, such as several production chains with different criticality levels, where a Cisco Cyber Vision Sensor is placed to capture and monitor its traffic. This topology can be reflected in Cisco Cyber Vision by creating groups which represent a production chain and contain its components. In clear, here we intend to detect a new component and its related activities within a specific area. Thus, it will be possible to see whether a component connects with this production chain. Its related activities will also be highlighted in the Monitor mode.

Key Differences: New components and their related activities on the network

Aim: Monitor the production line 2 of the industrial network.

Since a sensor is placed on each production chain, we use the sensor filter to display each production chain. In our example, the industrial network we're monitoring has 3 production lines on which we have positioned a sensor. We want to see and monitor what is happening on production line 2. To do so, we access the Preset All data in the Explore mode and we select the filter SENSOR_Line2 (it is possible to rename sensors to identify which area of the network they're monitoring) so only traffic captured on Production Line 2 appears.

What we need to do then, is to organize the components into groups, per function:

• PLCs in Line 2

• IT

• Broadcast

• Multicast

As a result, we have a filtered and organized view of production chain 2.

Now that the network data is filtered and grouped, we save the selection as a new preset that we name Line 2.

The preset Line 2 contains components and activities we consider to be interacting in a normal way, that is, production line 2 is in normal operating state. We save the preset's normal state as a baseline that we name Line 2 - Normal State.

We come back later to check Production Line 2. As we access the Explore mode we notice that there are 10 components instead of 9. Number of activities and events have increased too. The baseline Line 2 - Normal State reports 3 alerts.

To understand what had happened exactly, we access the baseline in the Monitor mode.

The left panel indicates that 1 new component and 2 new activities have been found.

As we click the new component, the right side panel opens with the component's detailed properties.

As we observe the component's details, we learn that it is in fact a controller, and properties look like what we're already used to see on the network regarding other components' characteristics. After confirming on site, we discover that a new PLC has been connected to the network to enlarge Production Line 2.

Then, we check that this new component behaves normally by looking at its activities. It has been identified because it has sent a broadcast packet (probably ARP) and then has connected to the Weintek machine using a legitimate protocol. Actions like Read variable accesses look normal too.

Since the component and activities will be part of the normal operating process of Production Line 2, the differences can be acknowledged and included in the baseline to be notified if any change occurs.

We return to the Explore mode and add the component into the Line 2 group.

Eventually, we access the Events page and see that all previous actions are reported here, from the detection of a new component and activities on the network, to adding the component into the group Line 2.

To ensure a network's security, its critical assets need to be monitored closely. Usually, critical assets are controllers which ensure the plant's operation. To monitor them, we're going to check its properties. The properties to keep an eye on are programs and firmware versions changes that might cause malfunctions or even stop a production line.

Preset Definition: Preset need to be defined per Group or multiple Group

Key Differences: New properties or changed properties on components

In the Explore mode, we access the Preset All data (1). We group the components per function (Broadcast, Multicast, Production Line 2) to organize our data. We select the Controllers component filter (2), so only the components marked with the Controller tag, their activities and related components display.

Now that the network data is filtered and grouped, we save the selection as a new preset (3) that we name Controllers.

The preset Controllers contains components and activities we consider to be operating in a normal way. We save the preset's normal state as a baseline that we name Controllers - Normal State.

We access the Monitor mode. The new baseline Controllers - Normal State displays.

A few moments pass and two alerts are reported in the Controllers preset. We access the baseline to see what happened.

The left panel reports that one component and one activity have changed in the scope of the preset.

As we click on the changed component in the map, a right side panel opens with more information. Changes appear in red. The tag indicates that it's a controller. The properties lldp-description and firmware version have changed and the former version is crossed off.

The particularity here is that no activity on the network seems to explain why the SIEMENS component's firmware version rolled back. To figure this out, we meet with the technical operator in charge of the production line. This person informs us that the latest version was causing several issues on the network. Consequently, a rollback has been performed by a maintenance operator to solve these until a new fix comes out. We conclude that this was part of a normal maintenance act and we acknowledge the differences.

Once differences are acknowledged, they are considered as normal and do not appear in red anymore. If a new change happens such as the version update, the component will appear as changed again in the Monitor mode.

An event is generated accordingly to the previous behaviors that have happened on preset Controllers and actions.

First evidence that someone might have hacked your industrial control system and is trying to disrupt your industrial processes are Stop CPU orders or new programs sent into a Controller's memory. A station that starts to send such content inside a network must be detected as soon as possible. It is possible to monitor a network by watching all control system behaviors.

This can be done in Cisco Cyber Vision by using the Control System Activities preset, which is a default preset and will check all activity tags categorized as Control System Behavior and consequently all related components. Key differences in such use case are new or changed activities. Moreover, components' tags and properties will give further context to help understanding of what is happening in the network.

Preset Definition: Preset need to be defined per activities tag like "Control Systems Behaviors"

Key Differences: New or changed activities

To do so, we access the preset Control System Activities (1) and we create a baseline from this preset (2) that we name Control System Activities - Normal State (3).

As we access the Monitor mode we can access and see the Control System Activities's baseline we just created. Nothing has happened yet on the preset.

After a few moments, new differences are detected on the preset. The left panel and the Map help identifying what has happened: a new component had an activity which changed another component and its activity with another component (1).

Clicking the new component (2) opens a right side panel which offers more information. The tag Windows indicates that the new component is a Windows machine (3). Below, its properties are listed and give more information about the machine.

Clicking the new activity between the new machine and the CPU opens its right side panel and gives more information about what happened. New tags such as Firmware Download, Start CPU, Stop CPU, Read and Write Var, which are suspicious, indicate the type of actions the new Windows machine has performed on the CPU.

These elements let us think that this is actually an attack. We report this issue and start to counter the attack immediately with the security team. If other suspicious changes happen, the Monitor mode will notify them.

You can trigger a safe shutdown and reboot of the Center from the System administration page.

The reboot can be used in case of a minor bug. For instance, in case of a system overload.

You can import and export the Cisco Cyber Vision database from the System administration.

This can be used on a regular basis to backup the industrial network data on Cisco Cyber Vision or if you need to transfer the database to a different Center.

Exports are possible up to 2 GB of data to avoid side effects related to slow database exports. If the database is larger than 2 GB, you will get an error message. In this case, you must connect to the Center using SSH and perform a data dump using the command sbs db dump.

Network data, events, users will be kept as well as all customizations (e.g. groups, component names).

As for configurations, only those made in the Cisco Cyber Vision user interface will be kept. Thus, if you change Center you will have to perform a basic configuration of the Center and then configure Cisco Cyber Vision again (refer to the Center Quickstart Guide).

Note	Import can last up to one hour for big databases. However, you can refresh the page from time to time to check that the import keeps going on normally (i.e. no error message).

The certificate fingerprint is used to register and enroll a Global Center with its synchronized Centers and vice versa.

For more information, refer the the Centers installation guides.

A Reset to Factory Defaults should be performed carefully with the help of Cisco product support and be used only as a last resort when all other troubleshooting attempts have failed. Please read below all implications of taking this action.

Reset to Factory Defaults is to be used as a last resort to clear all existing data from the Center.

Proceeding to a Reset to Factory Defaults will lead to the deletion of:

• Some Center configuration data elements.

• The GUI configuration (such as user accounts, the setup of event severities, etc.).

• Data collected by the sensors.

• The configuration of all known sensors (such as IP addresses, capture modes, etc.).

Root password, certificates and configurations from the Basic Center configuration will be kept.

Once a Reset to Factory Defaults has been performed, the GUI page refreshes with the Cisco Cyber Vision installation wizard (refer to the Center Quickstart Guide).

From this page, you can clear data stored on Cisco Cyber Vision to optimize the Center's performances.

You can clear data partially or totally, like below:

• all data

• activities, flows and variables

• flows and variables

• variables

Clearing data should be performed carefully with the help of Cisco Cyber Vision product support and be used only as a last resort when all other troubleshooting attempts have failed. Clearing any data can impact monitoring of the network. Please read below all implications about all data clearance.

About all data clearance:

Clearing all data is to be used as a last resort in case of database overload issues.

This will result in the entire database content deletion. Network data such as components, flows, events and baselines will be deleted from Cisco Cyber Vision and the GUI will be emptied.

All configurations will be saved. Existing users and user data configuration (such as capture modes, events severity set up, syslog configuration) will remain unchanged.

From this page, you can set data expiration time. Data is removed on a daily-basis once they expire. You can set an expiration time to events, flows and variables independently, and for a period of 7 days, 1 month, 3 months, 6 months or 1 year.

The ingestion configuration page allows you to configure flow and variable traffic storage.

You can choose whether to store flows and variables.

If flows storage is enabled, it is possible to choose from which subnetworks flows should be stored. These subnetworks can be set on the Network organization page. The option "others", that is, flows that are not part of the industrial private network, is disabled by default.

It is also possible to choose if enabling flows aggregation and port scan detection.

The Sensor Explorer page allows you to install, manage, and obtain information about the sensors monitoring your industrial network.

First, you need to know that sensors can be used in two modes, and for different purposes:

• Online mode: A sensor in online mode is placed at a particular and strategic point of the industrial network and will continually capture traffic.

  Applicable to: Cisco IE3400, IE3300 10G, Cisco IC3000, Catalyst 9300 and Cisco IR1101.

• Offline mode: A sensor in offline mode allows you to easily connect it at different points of the industrial network that may be isolated or difficult to access to occasionally make traffic captures. Traffic is captured on a USB drive. The file will then be imported in Cisco Cyber Vision.

  Only applicable to Cisco IC3000.

On the Sensor Explorer page, you will see a list of your folders and sensors (when installed) and buttons that will allow you to perform several actions.

Installation modes, features, and information will be available depending on the sensor model and the mode in which it’s being used.

Additional information and actions are available as you click a sensor in the list. A right side panel will appear allowing you to see this information such as the serial number, and buttons to perform other actions.

As some deployment tasks on sensors can take several minutes, this page shows the jobs execution status and advancement for each sensor deployed with the sensor management extension.

This page is only visible when the sensor management extension is installed in Cisco Cyber Vision.

You will find the following jobs:

• Single deployment

  This job is launched when clicking the Deploy Cisco device button in the sensor administration page, that is when a new IOx sensor is deployed.

• Single redeployment

  This job is launched when clicking the Reconfigure Redeploy button in the sensor administration page, that is when deploying on a sensor that has already been deployed. This option is used for example to change the sensor's parameters like enabling active discovery.

• Single removal

  This job is launched when clicking the Remove button from the sensor administration page.

• Update all devices

  This job is launched when clicking the Update Cisco devices button from the sensor administration page. A unique job is created for all managed sensors that are being updated.

If a job fails, you can click on the error icon to view detailed logs.

This page allows you to upload pcaps to view their data in Cisco Cyber Vision.

When selecting a pcap, two options are available:

• You can choose to use the timestamp of the pcap or the current timestamp instead. Choosing the current timestamp can be useful if the pcap timestamp is old and searching for its data in Cisco Cyber Vision is thus easier.

• You can define a preset from the pcap. Once the pcap is uploaded you'll just have to click the pcap link to be redirected to its preset.

  

Note that during the upload that the status for the DPI and Snort are displayed.

If uploading a large file, you have the possibility to pause it. To relaunch the upload, you just need to select the same pcap again with the browse button and click Resume.

Note	pcap data cannot be erased individually from Cisco Cyber Vision. You will need to use the Clear data button and it will affect the whole database. Upload pcaps with caution.

You can create, edit and delete users through the users administration page.

During their creation each user must be assigned with one of the following user roles (from full rights to read-only) or with a custom role (refer to Role Management).

• Admin

  The Admin user has full rights on the Cisco Cyber Vision platform. Users who have this role assigned oversee all sensitive actions like user rights management, system updates, syslog configuration, reset and capture modes configuration on sensors.

• Product

  The product user has access to several features of the system administration page (i.e. the system, sensors and events administration pages). This access level is for users who manage sensors from a remote location. In addition, they can manage the severity of events and, if enabled by the Admin user, can manage their export to syslog.

• Operator

  This access level is for users who use the Monitor mode and manage groups but do not have to work with the platform administration. Thus, the Operator user has access to all pages, except the system administration page.

• Auditor

  This access level provides read-only access to the Explore, Reports, Events and Search pages. Auditors can use sorting features (such as search bars and filters) that do not require persistent changes to the Cisco Cyber Vision data (unlike Autolayout), and generate reports.

You can create as many users as needed with any user rights. Thus, several administrators can use and administrate the whole platform.

However, each user must have their own account. That is:

• Accounts must be nominative.

• One email address for several accounts is not allowed (note that email will be requested for login access).

  Passwords must contain at least 6 characters and comply with the rules below. Passwords:

  • Must contain a lower case character: a-z.

  • Must contain an upper case character: A-Z.

  • Must contain a numeric character: 0-9.

  • Cannot contain the user id.

  • Must contain a special character: ~!"#$%&’()*+,-./:;<=>?@[]^_{|}.

    Important

    Passwords should be changed regularly to ensure the platform and the industrial network security.

Passwords' lifetime is defined in the Security settings page.

You can create custom user roles in the Role Management page.

You can map Cisco Cyber Vision user roles with an external directory's user groups in the LDAP settings page.

In addition to the four Cisco Cyber Vision default roles (i.e. Admin, Auditor, Operator and Product), customized roles can be created and modified from the Role management page.

These roles will help you defining specific privileges and accesses for each group of users.

Default roles cannot be edited or deleted.

You can map Cisco Cyber Vision custom roles with an external directory's user groups in the LDAP settings page.

From this page you can configure the security settings of users' password such as its lifetime, the number of authorized login attempts, the number of days before a password can be reused, etc.

Cisco provides a REST API. To use it you first need to create a token through the API administration page.

A token is a random password which authenticates a request to Cisco Cyber Vision to access or even modify the data in the Center through the REST API. For instance, you can request the latest 10 components detected on Cisco Cyber Vision or create new references. Requests can be used by external applications like a SOC solution.

Note	Best practice: create one token per application so you can remove or expire accesses separately.

Create your first token and enter a name that will help you identifying the token. For security reasons you can also use the status toggle button to disable authorization to use the token (for example, if the token created is to be used later and you want to prevent access until then) and set an expiration time.

Once the token is created click show to see and copy the token to the clipboard.

For more information about the REST API refer to the REST API user documentation available on cisco.com.

Cisco Cyber Vision can delegate user authentication to external services using LDAP (Lightweight Directory Access Protocol), and in particular to Microsoft Active Directory services.

You can enable LDAP authentication in the LDAP Settings administration page.

Configuring LDAP:

LDAP integration can be done through normal connection or securely by using certificates depending on the installation compatibility.

Mapping Cisco Cyber Vision roles with Microsoft Active Directory groups:

User groups available in the external directory can be mapped to Cisco Cyber Vision Product, Operator and Auditor user roles or custom roles. Refer to Role Management to create custom roles.

Because the Admin user role is exclusively reserved for Cisco Cyber Vision internal usage, it cannot be mapped to any external users and thus is not proposed in LDAP settings.

Testing LDAP connection:

After setting up LDAP, the connection between the Cisco Cyber Vision Center and the external directory is to be tested. On the LDAP test connection window, you will use a user login and a password set in the external directory. The Center will attempt to authenticate on the directory server with these credentials. In return, you will get either a successful authentication, or a failed one with an error message.

Login in Cisco Cyber Vision:

When logging into Cisco Cyber Vision, the login format used will determine the base (i.e. internal or external) to be queried:

• If you use an email, the Cisco Cyber Vision database is queried.

• If you use the Active Directory format <domain_name>\<user_name> (e.g. cisco\john_doe), then the external directory is used to authenticate users.

From this page, you can configure ISE pxGrid Cisco Cyber Vision integration.

Cisco Platform Exchange Grid (pxGrid) is an open, scalable data-sharing and threat control platform that allows seamless integration between multivendor identity, network, security and asset management systems.

For more information about how to perform this integration, refer to the manual "Integrating Cisco Cyber Vision with Cisco Identity Services Engine (ISE) via pxGrid".

FMC administration page permits to configure a link between Cisco Cyber Vision with your Firepower Management Center. This connection will permit to send regularly (every 10 seconds) the components discovered by Cisco Cyber Vision. Every 10 seconds a list of new discovered components will be sent with the following properties in Cisco Cyber Vision:

• Name

• Id

• Ip

• Mac

• And if they are available:

  • hw_version

  • model-ref

  • serial_number

  • fw_version

  • tags

The configuration of this connection consists of adding the IP address of FMC, then importing a certificate in Cisco Cyber Vision.

In FMC, to download the necessary certificate, please navigate to "System" then to "Integration" and open the "Host Input Client" tab. In the tab create a new Client with the button "Create Client". Add the Cisco Cyber Vision Center IP address as host name, then download the pkcs12 certificate.

Then, in FMC, menu "Policies", "Application Detectors" add a new Product Map with the button "Create Product Map Set". Please create the new product Map with the exact name and case as presented below:

The created hosts could be consulted in FMC, menu "Analysis", tab "Hosts – Network Map":

FTD administration page permits to connect Cisco Cyber Vision with your Firepower Threat Defense. It will allow to automatically kill anomalies detected by monitor mode and snort events. The corresponding session found in FTD will be killed.

Every 10 seconds Cisco Cyber Vision will browse the new monitor and SNORT events and send the corresponding action to the firewall. To enable that functionality, the user needs to add the following parameters in the FTD administration page:

• Ip address of the firewall

• Login: admin login, an ssh connection will be established between the center and the firewall

• Password: corresponding password

• Hostname: is the name of the device, by default "firepower"

Two option are available: kill session from monitor difference detection events and kill session from snort events.

Cisco SecureX is an online platform that centralizes security events from different Cisco software equipments through an API. For example, events like Cisco Cyber Vision events or firewall events can be sent to Cisco SecureX and correlated to be presented through different dashboards.

The integration with SecureX will enable 3 features in Cisco Cyber Vision:

• with SecureX SSO login, a button "Report to SecureX" will appear in some events of the event calendar page. this button will push the events to SecureX.

• with SecureX SSO login, a SecureX Ribbon could be activated ans associated features could be used in Cisco Cyber Vision.

• without SecureX SSO login, a button "Investigate in SecureX Threat Response" is displayed in component technical sheet.

The different topics below will cover the configuration of SecureX in Cisco Cyber Vision and the usage of the different features authorized.