Table of Contents
Advertisement
Chapter 1
STM Task Flow Overview
Task
Define the notification services.
2.
This task prepares the notification services of MARS to notify your mitigation and remediation personnel and
take other required actions. In MARS, notification services have three building blocks:
•
User accounts. Represent users who will receive reports or notifications or who will access the web interface
for the purpose of monitoring or mitigation. Users can receive notifications in the form of e-mail, pager
messages, or Short Message Service (SMS) messages. Users are assigned to one of four roles, admin,
security analyst, operator, notification only, which determines their access privileges in the web interface.
Devices. Represent those devices that will receive notifications in the form of an SNMP message, a syslog
•
message, or in the case of an IOS IPS device, a DAM message (equivalent to a shun). For more on defining
devices, refer to
Actions. Actions are defined within inspection rules, and they represent the notifying action. Depending on
•
the target of the notification, a user or a device, your action can provide guidance to your staff or instruct
your devices to log or block an attack.
Within MARS, any person or device that is expected to receive a notification must be identified in the system.
Therefore, the first step is to define user accounts that map to the users or groups who must be notified based on
specific event settings (see
notified or that need to take some action (see
The next step is to define the notification service settings (actions), which can be one or more of e-mail, page,
SMS, SNMP, Syslog, or Dynamic Attack Mitigation. Each of these settings includes the contact information and
a message that you can define for each type of notification.
There is not a separate interface for defining these settings. To define the notification service settings, you must
edit an existing inspection rule and add new Action definitions. After you define these settings, they are available
to all inspection rules.
Result: All required personnel have been identified in MARS so that rules and reports can be customized to notify
the correct personnel.
For more information, see:
User Management, page 23-8
•
Add or Remove a User from a User Group, page 23-12
•
•
IP Management, page 23-3
•
Adding Reporting and Mitigation Devices, page 2-16
•
Forwarding Alert Data to 3
MARS MIB Format, page 2-54
•
Inspection Rules, page 21-4
•
Working with System and User Inspection Rules, page 21-17
•
Setting Alerts, page 21-23
•
Sending Alerts and Incident Notifications, page 22-1
•
78-17020-01
Checklist for Provisioning Phase, page
User Role Worksheet, page
Device Inventory Worksheet, page
rd
-Party Syslog and SNMP Servers, page 2-54
1-2.
1-20). You must also identify the devices that need to be
1-18).
User Guide for Cisco Security MARS Local Controller
Checklist for Monitoring Phase
1-11
Advertisement
Table of Contents
Troubleshooting
