Table 22-1
Alert Notification Type
Sent in Human-Readable Format
E-mail
•
•
XML Notification
Short Message Service (SMS)
•
Pager
•
Sent to a Device
SNMP trap
•
Syslog
•
Distributed Threat Mitigation
•
User Guide for Cisco Security MARS Local Controller
22-2
MARS Incident Notification Methods
Chapter 22
Sending Alerts and Incident Notifications
Description
E-mail, SMS, and pager alerts send the incident
ID, matched rule name, severity, and incident
time in email, SMS and pager formats
respectively. You must login to the MARS to view
all the incident details.
XML notification sends an email notification of
an incident with an attached XML data file (see
Example
22-2). The XML data file contains the
same incident details that can be viewed from the
GUI, except for path and mitigation information.
The XML data file can be sent as a plain-text file
or as a compressed gzip file. The XML data
filename is constructed with the incident ID
number, for example
CS-MARS-Incident-13725095.xml
and extract data from the XML file with a custom
application. For example, you can integrate the
XML data with trouble ticketing software. See
Appendix A, "Cisco Security MARS XML API
Reference,"
for further information on the MARS
XML notification schema and usage guidelines.
MARS SMS text message notifications can be up
to 160 characters in length. Because the MARS
SMS incident notification exceeds 160 characters,
it is sent in three segments.
Pager messages are sent through the MARS
internal modem. MARS dials a carrier's IXO/TAP
number and uses SNPP to transmit the
alpha-numeric page. Pager notifications are still
possible when the network is down. Pagers can
often receive messages in places where mobile
phones are inoperative or forbidden (for instance,
hospitals).
These alerts send the incident ID, matched rule
severity, and incident time to devices or
applications, all of which must be properly
configured within the MARS device
administration pages. See the section,
and Mitigation Devices Overview, page 2-1
information on configuring individual devices to
work with MARS.
. You can parse
Reporting
for
78-17020-01