User Guide for Cisco Security MARS Local Controller
Chapter 20 Queries and Reports
Reporting Device Ranking
Returns most active reporting devices. Ranked by either: number of sessions that contain events from
the device or by bytes transmitted in sessions that contain events that meet the query criteria.
Reporting Device Type Ranking
Returns most active reporting device types. Ranked by either: number of sessions that contain events
from a device of that type or by bytes transmitted in sessions that contain events that meet the query
Reported User Ranking
Returns information about users from reporting devices such as: Windows clients, Solaris clients, etc.
Ranked by either: number of sessions that contain events from a reported user or by bytes transmitted in
sessions that contain events that meet the query criteria.
Matched Rule Ranking
Returns top firing rules. Ranked by number of incidents.
Matched Incident Ranking
Returns incidents. Ranked by either: number of sessions that contain events that meet the criteria that
contributed to the incident or by bytes transmitted real time in sessions that contain events that meet the
query criteria.
All Matching Sessions
Returns all sessions that contain events that meet the criteria. Sessions that contain a common set of
event types are grouped together. They are also sub-grouped by session source IP address and session
destination IP address. Sessions in the same sub-group are ordered by time. Real Time results are
available for this Result Type.
All Matching Events
Returns events. Ranked by time with the most current first. Real Time results are available for this Result
All Matching Event Raw Messages
Returns the raw messages associated with events. Ranked by time with the most current first. Real Time
results are available for this Result Type.
NAT Connection Report
Returns NAT connections. Ranked by time with the most current first.
MAC Address Report
Returns MAC addresses. Ranked by time with the most current first.
Unknown Event Report
Returns events that are not fully processed by the MARS. In some cases, event information such as the
five tuple (source IP, source port, destination IP, destination port, and protocol) might not be present,
hence can not be queried in real time.
Order/Rank By
This selection determines the ranking or order of the query’s results. These selections are determined by
the kind of Result Format that you use when you run the query.
Session Count
The number of sessions that contain events that meet the criteria that contributed to the incident.