Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

MARS - Understanding Rules and Incidents

I've been doing some testing, trying to develop a detailed understanding of how rules work in CSMARS. I'm getting inconsistent results. Let's assume I have the ability to create the EXACT same event 5 times in CSMARS at 10 second intervals. The only difference in the events is when they are received by CSMARS. The inspection rule is quite simple; look for this event type, count = 1 and time range = 5 minutes.

The events in CSMARS are always part of the same session. However, sometimes I get just 1 incident that fires right way. Other times I get 2 incidents, one that fires right away and another that fires after the 5 minute time range has elapsed. When there are 2 incidents, the time range for each incident is always from a subset of the events in the session. So for example, the first incident's time range might have a time range from the first 3 events and the second incident would have a time range from the last 2 events.

The end result though is that I have a single session that triggered the same rule twice. How is this possible?

CreatePlease to create content