Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
1
Replies

Database functionality of CSPM is a must!

pbobby
Level 1
Level 1

‎03-14-2002 12:58 PM - edited ‎03-08-2019 10:04 PM

Scenario:

Receive an alert for IIS Double Decode Error. Okay is it a false positive or real event?

The ONLY way for me to tell in the present CSPM system is to look at the Context Buffers associated with this alert. Those buffers will tell me what the offending URL looks like.

But guess what, this context data is only available throught the CSPMs event viewer or after having run cvtrlog.exe on the CSPM database.

This does not help me in my alerting process, because I want that data available to me along with the alert itself.

CSPM does not allow for real time database connectivity. cvtrlog.exe can appararently extract the context buffers and make them available to your database... but I would have to run cvtrlog.exe in an almost _continuous_ fashion just so I can get access to this information.

Is Cisco going to provide real time database capability? And are they going to pump context data into that database also?

Why not allow us access to the CSPM database as is? How proprietary can it be?

To me, it's a very real problem. My currently open TAC case has not yielded any joy.

Does anyone else think this is a real problem? I know that if I get a bunch of these alerts at 2am, I'm not going to get online to my corp network just to check context buffers... I'd prefer to have that information sent to me directly.

Labels:
0 Helpful
1 Reply 1

jason.fletcher
Level 1
Level 1

‎03-14-2002 09:42 PM

I agree completely with this. CSPM does not provide the information that a security analyst needs to identify real threats. Database connection should be a no-brainer for Cisco...after all, they have "partners" who provide expensive software packages that interface with their system. For the money this stuff is going for we should have at least the functionality that all the freeware IDS systems have out there.

Jason Fletcher

0 Helpful
Customers Also Viewed These Support Documents