Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
6
Replies

Cisco Secure Network Analytics - Custom Events not working towards NVM

Go to solution
aleksta9826435
Level 1
Level 1

‎02-05-2025 02:22 AM

Hi all

Experiencing Issues with creating Custom Security Events towards NVM (nvzflows) In my SNA platform.
Been creating a test Custom Security Event, just to see If it triggers.

"CSE: Forbidden Application"
When any subject host; using the process "well known .exe" communicates with any peer host, an alarm is raised.

Subject Process Names "well known .exe" on windows hosts.

Saved the Custom Event.

On my endpoint this well known .exe Process Names" triggeres. And It's visibile under the "Report Builder" --> Endpoint Traffic (NVM).

But no alert shows up under my Security Insight Dashbard.
Why?

The goal of my NVM (nvzflows) Is to create "Custom Security Events" for alerts.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
aleksta9826435
Level 1
Level 1
In response to David Salter

‎02-06-2025 08:30 AM

I'll attach the screenshot below.

View solution in original post

Preview file
63 KB
0 Helpful
6 Replies 6

Go to solution
David Salter
Cisco Employee
Cisco Employee

‎02-05-2025 05:29 AM

Please can you confirm which version of SNA you have installed?

0 Helpful

Go to solution
aleksta9826435
Level 1
Level 1
In response to David Salter

‎02-05-2025 05:44 AM

I'm running the latest version.
7.5.1

0 Helpful

Go to solution
David Salter
Cisco Employee
Cisco Employee

‎02-06-2025 03:23 AM

Unfortunately you cannot use NMV telemetry to trigger a custom security event the way you describe. 

The 'worst case scenario' for a host running Secure Client is the remote worker use case where the NVM telemetry may be cached for some time before the user connects back to the corporate network via VPN, at which point the cached telemetry is forwarded to SNA and written to the database however the timestamps will be outside of the 5 minute window used by the core engine for real time detections.  Today, NVM can be classed as additional context so it will be visible via Report Builder.

0 Helpful

Go to solution
aleksta9826435
Level 1
Level 1
In response to David Salter

‎02-06-2025 04:43 AM

Okey. So what you are saying Is that It's not possible to create "Custom Security Events" towards NVM telemetry data?
My NVM-module configuration Is only for endpoints that are on a "trusted network".

I actually got some hits today in my "Security Insight Dashboard" of yesterdays creation of my Custom Security Event.
But the alerts Is triggered on others endpoints that not even have the NVM-module installed which Is weird.

Thanks

0 Helpful

Go to solution
David Salter
Cisco Employee
Cisco Employee

‎02-06-2025 06:52 AM

Can you share the custom security event configuration?

0 Helpful

Go to solution
aleksta9826435
Level 1
Level 1
In response to David Salter

‎02-06-2025 08:30 AM

I'll attach the screenshot below.

Preview file
63 KB
0 Helpful
Customers Also Viewed These Support Documents