3 Replies Latest reply on Apr 26, 2012 3:30 PM by nicole pauls

    Report Question

    mcoupe

      Does anyone have an idea in which report I might be able to track down a Cisco ASA SID of ASA-5-502103 which is a privilege change?  I've been hunting high and low but can't see to find it.

       

      Thanks.

        • Re: Report Question
          nicole pauls

          I checked on our end, and ASA-5-502103 is a UserModifyPrivileges alert

           

          If you just want to find it, the fastest way to do this is in nDepth (Explore > nDepth in the Console). Do a search for one of the following:

          • The text "ASA-5-502103" (just put it in the search box) to search for anything containing that string
          • or use "UserModifyPrivileges EXISTS" (drag the UserModifyPrivileges alert into the search box and delete other stuff) to search for those alerts from any source/device

           

          In Reports, these UserModifyPrivileges alerts appear in:

          • Resource Configuration (Master) (RPT2003-08)
          • Resource Configuration - User Authorization Audit (Detail) (RPT2003-08-05)

           

          After running the report, you can use the Select Expert to filter it only to Cisco devices or this SID (use genericalert.detectionip to filter by device, use genericalert.toolalias to filter by type, use genericalert.providersid to filter by SID).

            • Re: Report Question
              mcoupe

              Thanks Colby the second half of that is exactly what I needed.  Do you know of a document that lists what appears in which report?  That would make building custom reports with the filters much quicker and easier.

               

              Thanks again.

                • Re: Report Question
                  nicole pauls

                  There isn't, but we'll get something up one way or another (a blog or doc or KB). In the meantime, If this comes up again feel free to ask on Thwack and I'll dig up the answer.

                   

                  The reports are generally structured around "groups" of alert types, if you look at the tree version of the alert view. For example, the Authentication Report is going to have most of the "Auth Audit" and below alerts related to logging in, out, failing, etc. The Resource Configuration report is going to have things around user, group, policy, and configuration changes, which are sort of the misfits of the other reports. The "Security" reports are going to be the Security part of the taxonomy - and generally follow below that.

                   

                  I'll post back when the doc (or whatever) is up.