https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381108#M53131 <HTML><HEAD></HEAD><BODY><P>Daniel -</P><P></P><P>Your two most common options for getting event data off your sensors are:</P><P>1. Get/build/buy a SIEM that will pull the evetns via the SDEE protocol.</P><P>2. Edit the action of the signatures in question (&gt;85% RR) to generate an SNMP trap for the event.</P><P></P><P>For real analysis you will also want to grab a PCAP of both sides of the attack (so you can tell if it was sucessful or a false positive).</P><P></P><P>- Bob</P></BODY></HTML> Thu, 02 Jan 2014 17:49:47 GMT rhermes 2014-01-02T17:49:47Z https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381107#M53130 <P>Hi Folks, </P><P></P><P><SPAN style="font-size: 10pt;">Happy new year!</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I'm trying to interface my IPS Event with an external log analyzer. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">This exercise (Log Management) has become vital as my SLA required IPS Event (particularly those with risk rating above 85) be documented and reported &lt;90mins on a day-to-day basis. </SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>Anyone with ideas?</P><P></P><P>Regards, </P><P>Daniel</P> Sun, 10 Mar 2019 13:07:08 GMT https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381107#M53130 dadaramola 2019-03-10T13:07:08Z https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381108#M53131 <HTML><HEAD></HEAD><BODY><P>Daniel -</P><P></P><P>Your two most common options for getting event data off your sensors are:</P><P>1. Get/build/buy a SIEM that will pull the evetns via the SDEE protocol.</P><P>2. Edit the action of the signatures in question (&gt;85% RR) to generate an SNMP trap for the event.</P><P></P><P>For real analysis you will also want to grab a PCAP of both sides of the attack (so you can tell if it was sucessful or a false positive).</P><P></P><P>- Bob</P></BODY></HTML> Thu, 02 Jan 2014 17:49:47 GMT https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381108#M53131 rhermes 2014-01-02T17:49:47Z https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381109#M53132 <HTML><HEAD></HEAD><BODY><P>Thanks Rhermes, <SPAN style="font-size: 10pt;">nice one.</SPAN></P><P></P><P>On your response, I have tried pulling events using Splunk- seems to be getting errors integrating splunk with the sensor; is there a way around this, or are there other SIEM (preferably open source) one can use to pull events via SDEE? </P><P></P><P>Regards. </P></BODY></HTML> Fri, 03 Jan 2014 07:27:45 GMT https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381109#M53132 dadaramola 2014-01-03T07:27:45Z https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381110#M53133 <HTML><HEAD></HEAD><BODY><P> I don't have any experience with Splunk and Cisco IPS, but there is a Wiki for it, so I assume other people have it working:&nbsp; <A href="http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IPS">http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IPS</A></P><P>I would imagine all commercial SEM vendors should support Cisco's implementation of SDEE, I have experience with Trustwave (formerly Intelitactics) and Arcsight. </P><P></P><P>How many sensors are you attempting to monitor? The free Cisco IME can pull events from up to 5 sensors.</P><P></P><P>- Bob </P></BODY></HTML> Fri, 03 Jan 2014 17:43:31 GMT https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381110#M53133 rhermes 2014-01-03T17:43:31Z https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381111#M53134 <HTML><HEAD></HEAD><BODY><P>Hi rhermes, </P><P></P><P>I have since gotten Cisco IME 7.2.1. It pretty great working with this interface. Thanks! </P><P></P><P><STRONG>Daniel. </STRONG></P></BODY></HTML> Wed, 19 Feb 2014 18:07:38 GMT https://community.cisco.com/t5/network-security/ips-7-1-event-analysis/m-p/2381111#M53134 dadaramola 2014-02-19T18:07:38Z