Scenario:
Receive an alert for IIS Double Decode Error. Okay is it a false positive or real event?
The ONLY way for me to tell in the present CSPM system is to look at the Context Buffers associated with this alert. Those buffers will tell me what the offending URL looks like.
But guess what, this context data is only available throught the CSPMs event viewer or after having run cvtrlog.exe on the CSPM database.
This does not help me in my alerting process, because I want that data available to me along with the alert itself.
CSPM does not allow for real time database connectivity. cvtrlog.exe can appararently extract the context buffers and make them available to your database... but I would have to run cvtrlog.exe in an almost _continuous_ fashion just so I can get access to this information.
Is Cisco going to provide real time database capability? And are they going to pump context data into that database also?
Why not allow us access to the CSPM database as is? How proprietary can it be?
To me, it's a very real problem. My currently open TAC case has not yielded any joy.
Does anyone else think this is a real problem? I know that if I get a bunch of these alerts at 2am, I'm not going to get online to my corp network just to check context buffers... I'd prefer to have that information sent to me directly.