I checked on our end, and ASA-5-502103 is a UserModifyPrivileges alert
If you just want to find it, the fastest way to do this is in nDepth (Explore > nDepth in the Console). Do a search for one of the following:
- The text "ASA-5-502103" (just put it in the search box) to search for anything containing that string
- or use "UserModifyPrivileges EXISTS" (drag the UserModifyPrivileges alert into the search box and delete other stuff) to search for those alerts from any source/device
In Reports, these UserModifyPrivileges alerts appear in:
- Resource Configuration (Master) (RPT2003-08)
- Resource Configuration - User Authorization Audit (Detail) (RPT2003-08-05)
After running the report, you can use the Select Expert to filter it only to Cisco devices or this SID (use genericalert.detectionip to filter by device, use genericalert.toolalias to filter by type, use genericalert.providersid to filter by SID).
Thanks Colby the second half of that is exactly what I needed. Do you know of a document that lists what appears in which report? That would make building custom reports with the filters much quicker and easier.
There isn't, but we'll get something up one way or another (a blog or doc or KB). In the meantime, If this comes up again feel free to ask on Thwack and I'll dig up the answer.
The reports are generally structured around "groups" of alert types, if you look at the tree version of the alert view. For example, the Authentication Report is going to have most of the "Auth Audit" and below alerts related to logging in, out, failing, etc. The Resource Configuration report is going to have things around user, group, policy, and configuration changes, which are sort of the misfits of the other reports. The "Security" reports are going to be the Security part of the taxonomy - and generally follow below that.
I'll post back when the doc (or whatever) is up.