topic Re: Cisco Secure Network Analytics - Custom Events not working towards in Security Analytics

Cisco Secure Network Analytics - Custom Events not working towards NVM

aleksta9826435 — Wed, 05 Feb 2025 10:22:51 GMT

Hi all

Experiencing Issues with creating Custom Security Events towards NVM (nvzflows) In my SNA platform.
Been creating a test Custom Security Event, just to see If it triggers.

"CSE: Forbidden Application"
When any subject host; using the process "well known .exe" communicates with any peer host, an alarm is raised.

Subject Process Names "well known .exe" on windows hosts.

Saved the Custom Event.

On my endpoint this well known .exe Process Names" triggeres. And It's visibile under the "Report Builder" --> Endpoint Traffic (NVM).

But no alert shows up under my Security Insight Dashbard.
Why?

The goal of my NVM (nvzflows) Is to create "Custom Security Events" for alerts.

Thanks

Re: Cisco Secure Network Analytics - Custom Events not working towards

David Salter — Wed, 05 Feb 2025 13:29:53 GMT

Please can you confirm which version of SNA you have installed?

Re: Cisco Secure Network Analytics - Custom Events not working towards

aleksta9826435 — Wed, 05 Feb 2025 13:44:59 GMT

I'm running the latest version.
7.5.1

Re: Cisco Secure Network Analytics - Custom Events not working towards

David Salter — Thu, 06 Feb 2025 11:23:02 GMT

Unfortunately you cannot use NMV telemetry to trigger a custom security event the way you describe.

The 'worst case scenario' for a host running Secure Client is the remote worker use case where the NVM telemetry may be cached for some time before the user connects back to the corporate network via VPN, at which point the cached telemetry is forwarded to SNA and written to the database however the timestamps will be outside of the 5 minute window used by the core engine for real time detections. Today, NVM can be classed as additional context so it will be visible via Report Builder.

Re: Cisco Secure Network Analytics - Custom Events not working towards

aleksta9826435 — Thu, 06 Feb 2025 12:43:25 GMT

Okey. So what you are saying Is that It's not possible to create "Custom Security Events" towards NVM telemetry data?
My NVM-module configuration Is only for endpoints that are on a "trusted network".

I actually got some hits today in my "Security Insight Dashboard" of yesterdays creation of my Custom Security Event.
But the alerts Is triggered on others endpoints that not even have the NVM-module installed which Is weird.

Thanks

Re: Cisco Secure Network Analytics - Custom Events not working towards

David Salter — Thu, 06 Feb 2025 14:52:35 GMT

Can you share the custom security event configuration?

Re: Cisco Secure Network Analytics - Custom Events not working towards

aleksta9826435 — Thu, 06 Feb 2025 16:30:03 GMT

I'll attach the screenshot below.