67-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter67 Managing Reports
Understanding the Predefined System Reports in Report Manager
Top Vict ims —This report ranks the victim (destination) addresses that generated the highest
numbers of recorded IPS alerts. The report shows the victim address, the count of the number of
alerts for each address, and the percentage of the count compared to the sum of all counts in the
report.
The default report includes information for all attackers, victims, and signatures for both blocked
and unblocked actions. You can customize the report to focus on subsets of attackers, victims, or
signatures, or limit the analysis to blocked only or unblocked only actions (see Editing Report
Settings, page 67-21).
Top Signatures—This report ranks the signatures that fired the highest numbers of alerts. The
report shows the signature ID number, the name of the signature, the count of the number of alerts
for each signature, and the percentage of the count compared to the sum of all counts in the report.
The default report includes information for all attackers, victims, and signatures for both blocked
and unblocked actions. You can customize the report to focus on subsets of attackers, victims, or
signatures, or limit the analysis to blocked only or unblocked only actions (see Editing Report
Settings, page 67-21).
Top Blocked/Unblocked Signatures—This report ranks the signatures that blocked the highest
numbers of attacks. The report shows the signature ID number, the name of the signature, the count
of the number of alerts for each signature, and the percentage of the count compared to the sum of
all counts in the report.
The default report shows blocked actions only. However, you can customize the report to show
unblocked only or a combination of blocked and unblocked actions (see Editing Report Settings,
page 67-21).
If you want to see blocked or unblocked lists that are limited to specific attacker or victim addresses,
or to a subset of signatures, use the Top Signatures report instead of the Top Blocked/Unblocked
Signatures report. Customize the report to show blocked only or unblocked only signatures.
IPS Target Analysis—This report provides the top targets by signature and frequency of attack. The
report shows the signatures that generated the alerts, the number of alerts, and the victim IP address,
and is based on an aggregated view of the Top Signatures and Top Victims reports. The report
contains up to ten signatures and five attackers. The information is plotted on a scatter plot, which
is the only graphical representation available for the report.
The parameters used to define the number of addresses or signatures to included in the report and the
reporting time period are defined in the system defaults as described in Configuring Default Settings for
Reports, page 67-24. You can also edit the report settings and create custom versions of the reports, as
described in the following topics:
Editing Report Settings, page 67-21
Creating Custom Reports, page 67-20
Understanding General IPS Reports
Report Manager includes predefined system reports that you can use to analyze general IPS activity in
your network.
The following reports are available in the System Reports > IPS folder.
Inspection/Global Correlation—This report provides a comparison of alerts generated by global
correlation against alerts generated by traditional IPS inspection. The report shows the number and
percentage of alerts per IPS inspection method (either Global Correlation or Inspection).