Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Correlating IDS and CSA events

How easy is it going to be to correlate events from Intrusion Detection devices and the new Cisco Security Agent?

3 REPLIES
Cisco Employee

Re: Correlating IDS and CSA events

Hi Jim,

Just wanted to understand what exactly you meant by "corelate" events.

The Security Monitor will be able to display ONLY the CSA events. It will be showing up as a separate category.

Let me know if this is not what you wanted to know.

Thanks,

yatin

Community Member

Re: Correlating IDS and CSA events

It would be nice to see attacks picked up by the IDS and then events from CSA showing what happened subsequently on the host level. The timing on the systems have to be synchronized, of course, but since CSA is a new aquisition, when will it be possible to correlate their events with other Cisco devices? Would Netforensics handle something like this?

Cisco Employee

Re: Correlating IDS and CSA events

Hi Jim,

Limited correlation of IDS and CSA is available in SecMon 1.2. You can, for example, create an event rule that specifies "Originating Device = CSAMC1 OR Originating Device = Sensor1". This rule will fire whenever SecMon receives a CSAMC message that originates from a CS Agent running on the CSAMC box, or an event is received from the specified IDS sensor.

Likewise if you create a rule with a "Severity = High" clause, this rule can fire when high severity messages are received from a CSAMC device or an IDS device.

At this The CiscoWorks Security Information Management (CWSIM), Cisco and Netforensics integration product, will be able to do this in more detail.

Hope this helps,

Yatin

105
Views
0
Helpful
3
Replies
CreatePlease to create content