Mohammed;
CS-MARS primarliy makes use of syslog, SNMP traps and IPS events for incident generation. By confgiuring your various security devices (firewalls, IPS devices, AAA servers, Windows domain controllers, etc) CS-MARS can effectively inform you of potential security incidents within your network.
By adding netflow data to the CS-MARS it is now possible for CS-MARS to provide anomaly-based incidents that can alert you to changes in traffic patterns on your network. In most instances, you do not need netflow being sent from every netflow-capable device in your network. By configuring devices in locations that have the best "view" into the traffic on your network, the CS-MARS should be able to successfully detect these anomalous changes. You can read more in the user guide here:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgOver.html#wpmkr180414
Scott