How to create meaningful daily IME reports?


I have the Cisco SSM-20 configured as an inline module on an ASA 5520 and would like to know how to create meaningful daily scheduled reports.

I have the reports being emailed daily, but it is massive and I need to drill down a lot to get to the interesting bits.

Please help.

Thank you.
LVL 21
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

netcmhAuthor Commented:
btanExec ConsultantCommented:
I was thinking the report should consider the following and the system health checks should already be monitored separately via snmp (network monitor) or syslog (SIEMS type). The account review is more of a monthly review to track any role changes, account deleted, redundant and privileges assignment - mainly on the modify and removal esp when resignation and staff changes roles.

For Firewall
• Top Infected Hosts
• Top Malware Ports
• Top Malware Sites
• Top Destinations
• Top Services
• Top Sources

• Inspection/Global Correlation
• IPS Simulation Mode
• Target Analysis
• Top Attackers
• Top Blocked/Unblocked Signatures
• Top Signatures
• Top Victims

• Top Bandwidth Users (SSL/IPsec)
• Top Duration Users (SSL/IPsec)
• Top Throughput Users (SSL/IPsec)
• User Report
• VPN Device Usage Report
netcmhAuthor Commented:
Sure. How do I do it?

I mean I know how to click the choices, but it's not relatable. It's not easy on the eyes and it makes for very bad reporting, if management asks for something.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

btanExec ConsultantCommented:
If there is Cisco Security Manager, the Report Manager is useful to understand the system define report or the customised ones

For IME reporting

You can customize your report by configuring the number of items you want in your report and what the time interval should be. You can also use DNS to resolve the IP addresses. You can also use filters to further refine the type of information you want your report to contain.
netcmhAuthor Commented:
I have IME and have used that very document to set up the reports, but I'm not convinced that Cisco would not have something better than what IME gives me.
btanExec ConsultantCommented:
neither do i as that is as far for reporting capabilities. really fruitful for the bosses is the big picture of the infra security posture guarding the critical asset, the no of incident/breach prevented and response within that minute of time. All drill back to the return of the security investment based on this security inventory

...I think probably only through SIEMS gathering all the syslog from the network can make the mark else we can cover only the attacks, and I never think they are interested in operational parameters such as those

.... however, cisco MARS seems to be able to achieve some sort

Query and Reporting
• Low-latency, real-time event query
• GUI that supports numerous default queries and customized queries
• More than 150 popular reports, including management, operational, and regulatory
• Intuitive report generation yielding unlimited customized reports
• Data, chart, and trend formats that support HTML and comma-separated value (CSV) export
• Live, batch, template, and e-mail forwarding reporting system
• Easy-to-use query structure built for an effective navigation to the information in a specific incident
netcmhAuthor Commented:
We had phased MARS out before the IPS came in.
btanExec ConsultantCommented:
MARS will be an Enterprise wide deployable solution that will act as a broader security umbrella for reporting and responding to security alerts.

IME will continue to have a limited scope of IPS/IDS hosts that it can recieve events from. IME although limited in various fronts will definately meet the needs of small/medium businesses who are looking to gain quick user friendly access to security events. At least IME looks like a much better tool compare with EventViewer (performance stats, dashboards, better queries).

I dont IME can be "push" as far
netcmhAuthor Commented:
So, no way of getting what I asked for?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
only those that is readily available at least to me :)
netcmhAuthor Commented:
Then, I'll go ahead and close this as solution was not found. I am thankful for all the input you've provided.
btanExec ConsultantCommented:
no problem :)
netcmhAuthor Commented:
No solution to my issue provided.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.