I have one more issue with reporting. I notice under GLBA reports there is a 'attacks prevented by cisco IPS - all events" report. We actually run IDS and are using a router to actively shun packets, and that is not included within the scope. I tried adjusting the query in this report, but have been unable to get the results I expect.
The portion of the Raw Event Message that I am trying to search is 'shunRequested: true' from the below event. When I do a query and put that in the 'keyword field' and search within the timeframe this event happened (searching for raw event) it returns 0 results. Does anyone know a good way to search for events shunned within a GLBA report? And it really doesn't have to come back with raw events or anything, any other suggestions for this are welcome.
SAMPLE EVENT BELOW********
evIdsAlert: eventId="1268318206324079819" severity="high" vendor="Cisco"
time: Apr 27 2010 05:00:59 CDT (1272362459865550000) offset="-300" timeZone="UTC"
signature: created="20010202" type="anomaly" version="S2" description="TCP SYN/FIN Packet" id="3041"
addr: 18.104.22.168 locality="any"
addr: OMITTED locality="INSIDE"
os: idSource="learned" relevance="relevant" type="linux"
riskRatingValue: 100 attackRelevanceRating="relevant" targetValueRating="mission-critical"