How to create meaningful daily IME reports?


I have the Cisco SSM-20 configured as an inline module on an ASA 5520 and would like to know how to create meaningful daily scheduled reports.

I have the reports being emailed daily, but it is massive and I need to drill down a lot to get to the interesting bits.

Please help.

Thank you.
LVL 21
Who is Participating?
netcmhConnect With a Mentor Author Commented:
So, no way of getting what I asked for?
netcmhAuthor Commented:
btanExec ConsultantCommented:
I was thinking the report should consider the following and the system health checks should already be monitored separately via snmp (network monitor) or syslog (SIEMS type). The account review is more of a monthly review to track any role changes, account deleted, redundant and privileges assignment - mainly on the modify and removal esp when resignation and staff changes roles.

For Firewall
• Top Infected Hosts
• Top Malware Ports
• Top Malware Sites
• Top Destinations
• Top Services
• Top Sources

• Inspection/Global Correlation
• IPS Simulation Mode
• Target Analysis
• Top Attackers
• Top Blocked/Unblocked Signatures
• Top Signatures
• Top Victims

• Top Bandwidth Users (SSL/IPsec)
• Top Duration Users (SSL/IPsec)
• Top Throughput Users (SSL/IPsec)
• User Report
• VPN Device Usage Report
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

netcmhAuthor Commented:
Sure. How do I do it?

I mean I know how to click the choices, but it's not relatable. It's not easy on the eyes and it makes for very bad reporting, if management asks for something.
btanExec ConsultantCommented:
If there is Cisco Security Manager, the Report Manager is useful to understand the system define report or the customised ones

For IME reporting

You can customize your report by configuring the number of items you want in your report and what the time interval should be. You can also use DNS to resolve the IP addresses. You can also use filters to further refine the type of information you want your report to contain.
netcmhAuthor Commented:
I have IME and have used that very document to set up the reports, but I'm not convinced that Cisco would not have something better than what IME gives me.
btanExec ConsultantCommented:
neither do i as that is as far for reporting capabilities. really fruitful for the bosses is the big picture of the infra security posture guarding the critical asset, the no of incident/breach prevented and response within that minute of time. All drill back to the return of the security investment based on this security inventory

...I think probably only through SIEMS gathering all the syslog from the network can make the mark else we can cover only the attacks, and I never think they are interested in operational parameters such as those

.... however, cisco MARS seems to be able to achieve some sort

Query and Reporting
• Low-latency, real-time event query
• GUI that supports numerous default queries and customized queries
• More than 150 popular reports, including management, operational, and regulatory
• Intuitive report generation yielding unlimited customized reports
• Data, chart, and trend formats that support HTML and comma-separated value (CSV) export
• Live, batch, template, and e-mail forwarding reporting system
• Easy-to-use query structure built for an effective navigation to the information in a specific incident
netcmhAuthor Commented:
We had phased MARS out before the IPS came in.
btanExec ConsultantCommented:
MARS will be an Enterprise wide deployable solution that will act as a broader security umbrella for reporting and responding to security alerts.

IME will continue to have a limited scope of IPS/IDS hosts that it can recieve events from. IME although limited in various fronts will definately meet the needs of small/medium businesses who are looking to gain quick user friendly access to security events. At least IME looks like a much better tool compare with EventViewer (performance stats, dashboards, better queries).

I dont IME can be "push" as far
btanExec ConsultantCommented:
only those that is readily available at least to me :)
netcmhAuthor Commented:
Then, I'll go ahead and close this as solution was not found. I am thankful for all the input you've provided.
btanExec ConsultantCommented:
no problem :)
netcmhAuthor Commented:
No solution to my issue provided.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.