Chapter 21
Rules
Table 21-1
Rule Field
Device
Reported User
78-17020-01
Rule Fields and Arguments
Field Description and Arguments
Green Severity Event
Types—Displays all green event
types
The value of this condition can be one of the following:
Variables—Signify any single
device defined under Admin >
System Management > Security and
Monitor Devices, only useful for
lines in tandem with the same
variable.
•
Reporting Devices—Identifies
one or more hosts or reporting
devices for which events are
inspected. Valid values are one
or more devices as defined
under Admin > System Setup >
Security and Monitor Devices.
Defined Device Types—
Identifies the active user on the host
when this event was recorded. Not
all events include this data. The
value of this condition can be one of
the following:
Argument Descriptions
ANY—(Default) Specifies that
•
this rule is applied to events
generated by any of the reporting
devices defined in MARS.
•
SAME
DISTINCT
•
Unknown Reporting
•
Device—Specifies that this rule is
applied to events generated by
any reporting device that is not
defined in MARS.
$DEVICE01 to $DEVICE10
•
ANY—No constraint is placed on
•
the reported user.
NONE—(Default) Specifies that
•
this condition should not be used
to match this rule.
Variables—Signify any single
•
user, only useful for lines in
tandem with the same variable.
Invalid User Name—Specifies
•
that this condition is met when the
user name reported is invalid.
User Guide for Cisco Security MARS Local Controller
Constructing a Rule
21-11