Table of Contents
Advertisement
Checklist for Provisioning Phase
Task
Define the devices in MARS.
4.
After you identify and bootstrap the reporting devices and mitigation devices and enable the required traffic
flows, you must represent those devices in MARS, which uses this information to communicate with the devices.
You can do this by adding individual devices in the web interface or by importing a comma separated vector
(CSV) file, which can define the required settings for basic device types and give you a headstart on defining the
more complicated devices. In addition, you can use topology discovery to automatically discover reporting
devices and mitigation devices and later go back to provide additional detail.
For most device types, you must determine what access protocol to use for device discovery. The selection of
this protocol determines what type of data you can discover and whether you can perform mitigation.
Understanding the options helps you develop a consistent approach in compliance with your corporate policies.
How you choose to add the devices depends on the number of devices on your network and whether there are
CSV device keywords for the devices that you want to add. In addition, device types that use agents, modules,
or sensors are defined in multiple steps, where you first define the base host or device, and then add the modules,
sensors, and agents to the base device. For example, if you want to add an IPS module to a Cisco ASA device,
you must first define the Cisco ASA device and then define the IPS module as a component of that device. In
addition, many applications that are not dedicated appliances require that you first define the host (generic,
Windows, Unix, or Linux) on which that application runs before you can associate the application with that host.
After you add the devices, you must activate them by clicking Activate on any page in the web interface.
To display all devices that are either added incorrectly or not activated in MARS, you can define one of two
queries:
Select "Unknown Reporting Device" in the Devices field. This query returns the events only for those
•
devices that are reporting events that do not matching the one of the reporting IPs defined in MARS. When
MARS receives events, it first determines if the IP from which the events are received matches one of
reporting IPs identified in the Reporting and Monitor Devices page. Only if MARS finds a match does it
attempt to parse the events. Therefore, if the Reporting IP is defined incorrectly for a reporting device, the
events from that device are not parsed. This query essentially identifies events that are not parsed.
Select the "Unknown Device Event Type" in the Events field. This query returns events from known devices
•
that for some reason the event is not parsed by MARS (for example, if the MARS signature list is not current
with the device event lists), and it returns events reported by unknown devices.
These queries are a recommended good practice after adding the devices, especially when using a CSV seedfile
or SNMP discovery. For both queries, if you are looking for a specific reporting IP address, enter that address in
the Keyword field to filter the results down to those that include that IP address.
Result: All reporting devices and mitigation devices are defined and activated in MARS. When the devices are
bootstrapped and defined in MARS, MARS begins to inspect the logs received from the devices. Until the devices
are added in MARS, MARS picks up and stores the events it receives without inspecting them.
For more information, see:
Device Inventory Worksheet, page 1-18
•
Selecting the Access Type, page 2-10
•
Add Reporting and Mitigation Devices Individually, page 2-17
•
Add Multiple Reporting and Mitigation Devices Using a Seed File, page 2-20
•
•
Adding Reporting and Mitigation Devices Using Automatic Topology Discovery, page 2-25
•
Supported Reporting and Mitigation Devices, page 3
•
Verify Connectivity with the Reporting and Mitigation Devices, page 2-26
Activate the Reporting and Mitigation Devices, page 2-27
•
User Guide for Cisco Security MARS Local Controller
1-6
Chapter 1
(CSV Keyword column)
STM Task Flow Overview
78-17020-01
Advertisement
Table of Contents
Troubleshooting
