Hi Farrukh, I'm not sure what feeds this report, is there a way to tell? I have an IPS in my ASA, also have Active Directory sending reports to MARS.

Event type: Penetrate/Backdoor/Spyware/Response

Query Type: Source IPs ranked by Sessions

Time: 1d-0h

Just query MARS for this event-type. Once you get the old incidents in the Query, MARS will show you the 'Reporting Devices' name. Check this link:

https://www.cisco.com/sie/appintel/mars_incident-small-MS08-001.jpg

The reporting devices are IDSM2/4240 sensor etc,

Regards

Farrukh

Farrukh, great idea, the only problem I chose to show me the report for a month, and for a year and MARS immediately comes back without data. I know I had data from the last year in this report( probably 3 months ago). I choose "Year" then click "display report" and 1 second later it comes back blank like it didn't try to pull the data.

Can you logon to the CLI (SSH) and restart the MARS services? Usually MARS should make this large time-span query as a

'Batch Query' (and not inline), which would be delivered to your email inbox (if configured).

Regards

Farrukh

I can try this, though I did reboot MARS last week and still didn't get the report. I double checked my IPS module in my ASA to make sure it is sending alerts to MARS, it is. Thanks for all of your help!