Recent Incidents; Sessions And Events - Cisco CS-MARS-20-K9 - Security MARS 20 User Manual

Security mars local controller
Table of Contents

Advertisement

Summary Page

Recent Incidents

The first feature to notice about the Dashboard are the recent incidents that have fired. The
Local Controller comes with pre-defined rules, and these incidents are the result of those rules firing.
These rules are generic, globally applicable, and should serve you well as a starting point once you begin
to tune the Local Controller.
Figure 17-14
1
2
3
4

Sessions and Events

Within a given time window, a session is a collection of events that all share a common end-to-end:
Event sessionization aggregates event data making it easier to sort and examine. Event sessionization
lets the system treat events as single units of information and helps you understand if an attack truly has
materialized. It gives you the context of the attack by giving you all the events on that session.
Sessionization works across NAT (network address translation) boundaries – if a session traverses a
device that does NAT on that session, the Local Controller is able to sessionize events even if they are
reported by two devices on either side of that firewall.
Networks start to show immediate action in the events and sessions categories. Note that the 24 Hour
Events table and the Events and Sessions chart are different ways of presenting the same information.
User Guide for Cisco Security MARS Local Controller
17-8
Drilling-down into Incidents
1
2
3
4
Link to the Incident sessions detail page
Incident severity icons
Red—Severe threat
Yellow—Possible threat
Green—Unlikely threat
Link to the Event Type Details page
Query icon links to Query page
Source and destination address
Source and destination port
Protocol
5
5
Link to the rule details page
6
Incident Path icon
diagram popup window
7
Incident Vector icon
attack vector diagram
8
Link to the View Case page
Chapter 17
Network Summary
6
7
8
launches the topology
launches the incident
78-17020-01

Advertisement

Table of Contents
loading

This manual is also suitable for:

Mars 20Mars 50Mars 100Mars 200

Table of Contents