How to create meaningful daily IME reports?

Anyone?

I was thinking the report should consider the following and the system health checks should already be monitored separately via snmp (network monitor) or syslog (SIEMS type). The account review is more of a monthly review to track any role changes, account deleted, redundant and privileges assignment - mainly on the modify and removal esp when resignation and staff changes roles.

For Firewall
• Top Infected Hosts
• Top Malware Ports
• Top Malware Sites
• Top Destinations
• Top Services
• Top Sources

For IPS
• Inspection/Global Correlation
• IPS Simulation Mode
• Target Analysis
• Top Attackers
• Top Blocked/Unblocked Signatures
• Top Signatures
• Top Victims

For VPN
• Top Bandwidth Users (SSL/IPsec)
• Top Duration Users (SSL/IPsec)
• Top Throughput Users (SSL/IPsec)
• User Report
• VPN Device Usage Report

Sure. How do I do it?

I mean I know how to click the choices, but it's not relatable. It's not easy on the eyes and it makes for very bad reporting, if management asks for something.

If there is Cisco Security Manager, the Report Manager is useful to understand the system define report or the customised ones
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/rptmgmt.html#wp513414
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/rptmgmt.html#wp513791

For IME reporting
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/ime/ime_reports.html#wp1032167

You can customize your report by configuring the number of items you want in your report and what the time interval should be. You can also use DNS to resolve the IP addresses. You can also use filters to further refine the type of information you want your report to contain.

I have IME and have used that very document to set up the reports, but I'm not convinced that Cisco would not have something better than what IME gives me.

neither do i as that is as far for reporting capabilities. really fruitful for the bosses is the big picture of the infra security posture guarding the critical asset, the no of incident/breach prevented and response within that minute of time. All drill back to the return of the security investment based on this security inventory

...I think probably only through SIEMS gathering all the syslog from the network can make the mark else we can cover only the attacks, and I never think they are interested in operational parameters such as those

.... however, cisco MARS seems to be able to achieve some sort
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/data_sheet_c78-458671.html

Query and Reporting
• Low-latency, real-time event query
• GUI that supports numerous default queries and customized queries
• More than 150 popular reports, including management, operational, and regulatory
• Intuitive report generation yielding unlimited customized reports
• Data, chart, and trend formats that support HTML and comma-separated value (CSV) export
• Live, batch, template, and e-mail forwarding reporting system
• Easy-to-use query structure built for an effective navigation to the information in a specific incident

We had phased MARS out before the IPS came in.

MARS will be an Enterprise wide deployable solution that will act as a broader security umbrella for reporting and responding to security alerts.

IME will continue to have a limited scope of IPS/IDS hosts that it can recieve events from. IME although limited in various fronts will definately meet the needs of small/medium businesses who are looking to gain quick user friendly access to security events. At least IME looks like a much better tool compare with EventViewer (performance stats, dashboards, better queries).

I dont IME can be "push" as far
https://supportforums.cisco.com/message/3378853#3378853

only those that is readily available at least to me :)

Then, I'll go ahead and close this as solution was not found. I am thankful for all the input you've provided.

no problem :)

No solution to my issue provided.