Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
1
Replies

Cs-Mars Problem

phardy
Level 1
Level 1

‎04-16-2009 05:10 AM - edited ‎03-09-2019 10:13 PM

Im working on Cs-Mars version 6.0. after setting some drop rules to avoid having incidents on the dashboard. i figure out that incident are not matching the drop rule even if the incident details are exactly in the scope of the drop rule. is there any where to look to see how Cs-mars parse and treat the events as they gets to incidents ??

Labels:
0 Helpful
1 Reply 1

vkapoor5
Level 5
Level 5

‎04-22-2009 12:21 PM

Drop rules allow false positive tuning on a MARS, and are defined only on the Local Controller Drop Rules page. They allow you to refine the inspected event stream by specifying events and streams to be ignored and whether those data should be stored in the database or discarded entirely. Drop rules are applied to events as they come in from a reporting device, after they have been parsed and before they have been sessionized. Events that match active drop rules are not used to construct incidents. Because the Global Controller does not receive events from reporting devices, rather it receives them from Local Controllers, you cannot define drop rules for the Global Controller.

To display incidents that occur from the firing of rules in a specific rule group:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html#wp533079

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents