ASM Activity Monitor

The Automated Security Manager Activity Monitor window consists of three major functional areas. The top section provides the ability to set ASM's operational mode and view statistics. The center section provides a log of ASM activities. The bottom section contains an Events View where you can view alarm, event, and trap information for ASM, Console, network devices, and other NetSight applications.

  CAUTION: Do not attempt to manually remove actions applied to devices from NetSight Automated Security Manager. Use the Undo Action button in ASM's Activity Monitor window to undo a threat response. Attempting to manually remove actions can leave devices in an unspecified condition, possibly compromising the security of your network.

Click areas in the window for more information.

Automated Security Manager Activity Monitor

The Operation Mode and Statistics Summary panels, as well as the Incident Filter, can be closed by clicking the Close button and restored from the View menu. In addition, the Operation Mode panel can be restored from the Operation Mode Indicator's drop-down menu in the upper-right corner of the window. You can also restore the Incident Filter from a right-click menu selection in the Activity Monitor Table.

Operation Mode
You can display the full Operation Mode panel or iconize it in the main view (by clicking the Close button) to show only the traffic light indicator in the upper-right corner. You can select from the following options:
Disabled - When selected, Automated Security Manager is not active. It neither seeks out the sources of network threats nor responds to them.
Search Only - When selected, security threats are recognized, source ports are identified and the information is recorded in the Activity Monitor but, no response is applied.
Search and Respond - When selected, Automated Security Manager is fully active. In this state, threats are recognized, source ports are identified, and responses (actions) applied.

  NOTE: The NetSight Server performs ASM searches using the profile for the server, not the profile for the ASM client user.
Statistics Summary
This area shows Current data and data accumulated Since the last statistics Counter Reset. The date/time stamp at the top of the area shows the time span during which the accumulated statistics are collected.

The Tools > Statistics > Configure menu option opens the ASM Statistics window, from which you can select the specific data elements displayed in the Statistics area. The Tools > Statistics > Reset Counters menu option resets the counters for the accumulated data and sets the timestamp to the current date and time. Refer to the ASM Statistics window for a description of specific data elements.

Activity Monitor
Incident Filter
This area lets you select the type of detailed information available in the table. Use the Show Threat Details or Show Action Details checkboxes to show or hide groups of columns in the Activity Monitor table. At least one detail selection (Show Threat Details, Show Action Details) must be active at any given time.

You can hide one or more columns in the table using the Table Tools > Settings or the Hide column from the right-click menu. However, reactivating either filter overrides the settings from the Table Tools or right-click menu and the columns associated with the filter are restored to the table.

  • Show Threat Details - When checked, the table contains several columns that provide detailed threat information. Show Threat Details controls the Date/Time, Sender ID, Sender Name, Event Category and Signature columns.
  • Show Action Details - When checked, the table contains several columns that provide detailed action information. Show Action Details controls the Threat MAC, Device/Port, Rule Name, Action, Details, Last Update and Search Time columns.
  • Show Excluded - When checked, the table contains entries for IP addresses found on an excluded port.
Activity Table
Incident
This is an index of incidents in the Activity Monitor showing the order in which incidents were recorded. The sequence may be broken when incidents are removed from the table.
Icon/Status
The Icon and Status columns, taken together, indicate the status of a particular action response:
IconStatusMeaning
Action TakenAction successfully performed.
  • Port disabled
  • Policy replaced on port
  • Policy replaced for MAC
  • VLAN replaced for MAC
  • Port disabled and Custom Action Executed
  • Policy replaced on port and Custom Action Executed
  • Policy replaced for MAC and Custom Action Executed
  • VLAN replaced for MAC and Custom Action Executed
  • VLAN replaced on port and Custom Action Executed
  • Port disabled and Custom Action Failed
  • Policy replaced on port and Custom Action Failed
  • Policy replaced for MAC and Custom Action Failed
Timer in ProgressUndo Action waiting for timer expiration
Action Awaiting Confirmation
  • Action configured for Manual Confirmation and is not yet confirmed.
  • The status for this entry is Action in Progress when the ASM Operation Mode changed to Disabled, Search Only or Console is exited and relaunched.
Action Suspended (these entries are always eligible for Undo)
  • Operation Mode changed to Search Only and the action is pending or timer in progress.
  • Operation Mode changed to Disabled (or Console exits and relaunches) and the entry is action pending or timer in progress.
No Action Can Be Taken
  • No port found for threat IP address
  • Policy not supported on device (where action was Apply Policy)
  • No Rule matches the criteria for applying action
  • Port already disabled
  • Policy already applied to port
  • PVID already applied to port
  • Port already disabled, Custom action executed
  • Policy already applied to port, Custom action executed
  • PVID already applied to port, Custom action executed
  • Policy not supported on device, Custom action executed
  • Port already disabled, Custom action failed
  • Policy already applied to port, Custom action failed
  • PVID already applied to port, Custom action failed
  • Policy not supported on device, Custom action failed
Action Threshold Exceeded
  • Too many ports for Threat IP address, action not taken
  • Too many actions in progress, action not taken
  • Too many ports for Threat IP address, action not taken, Custom action not executed
  • Too many actions in progress, action not taken, Custom action not executed
Action Failed
  • Device not reachable
  • SNMP Profile has ReadOnly access level
  • SNMP Sets fail (Write parameters do not match the device)
  • Device not in database
  • Policy not on device
  • Port cannot be disabled
  • Incomplete Trap information
  • VLAN ID not on device
  • VLAN Name not on device
  • Device not reachable, Custom action executed
  • SNMP Profile has ReadOnly access level, Custom action executed
  • SNMP Sets fail (Write parameters do not match the device), Custom action executed
  • Device not in database, Custom action executed
  • Policy not on device, Custom action executed
  • Port cannot be disabled, Custom action executed
  • VLAN ID not on device, Custom action executed
  • VLAN Name not on device, Custom action executed
  • Device not reachable, Custom action failed
  • SNMP Profile has ReadOnly access level, Custom action failed
  • SNMP Sets fail (Write parameters do not match the device), Custom action failed
  • Device not in database, Custom action failed
  • Policy not on device, Custom action failed
  • Port cannot be disabled, Custom action failed
  • VLAN ID not on device, Custom action failed
  • VLAN Name not on device, Custom action failed
Action Undo Failed
  • Current port state does not agree with ASM action taken
  • Current port policy setting does not agree with ASM action taken
  • Original policy does not exist on device
  • Current PVID setting does not agree with ASM action taken (this includes PVID and tagging parameters)
  • Current port state does not agree with ASM action taken, Custom action executed
  • Current port policy setting does not agree with ASM action taken, Custom action executed
  • Original policy does not exist on device, Custom action executed
  • Current PVID setting does not agree with ASM action taken, Custom action executed
  • Current PVID setting does not agree with ASM action taken; Custom action failed
  • Current port state does not agree with ASM action taken; Custom action failed
  • Current port policy setting does not agree with ASM action taken; Custom action failed
  • Original policy does not exist on device; Custom action failed
  • Current PVID setting does not agree with ASM action taken; Custom action failed
BlankAction Taken and Undone
  • Action undone by Undo Action button
  • Action undone by Timer
  • Action undone by Undo Action button; Custom Undo Action executed
  • Action undone by Timer; Custom Undo Action executed
  • ASM Action was set to None; Custom Action executed and undone by Undo Action button
  • ASM Action was set to None; Custom Action executed and undone by Timer
  • Action undone when Custom Undo executed by Undo Action button
  • Custom Action undone by Timer (Standard ASM Action set to None)
  • Custom Undo Action executed by Undo Action button (Standard ASM Action set to None)
  • Custom Undo Action executed by Timer (Standard ASM Action set to None)
  • Action undone by Undo Action button; Custom Undo Action failed
  • Action undone by Timer; Custom Undo Action failed
  • ASM Action set to None; Custom Action executed and Custom Undo Action failed
  • ASM Action set to None; and Custom Undo Action failed
BlankNo Action TakenAction set to None
BlankCustom Action Only
  • ASM Action set to None; Custom action executed
  • ASM Action set to None; Custom Action failed
 NOTE:This status only appears when the ASM Action is set to None. Otherwise, the custom actions are noted in the Details column.
BlankPort Excluded
  • Port Type Filtered
  • Port Filtered
BlankSearch in ProgressSearch began, but is not completed
BlankAction in ProgressAction for this entry began, but is not completed.
BlankPort Query in ProgressPort query began, but is not completed
BlankSearch Canceled
  • Search canceled by Cancel Search menu option.
  • Operation Mode changed to Disabled while:
    • Search in Progress
    • Search Pending
    • Port Query in Progress
    • Port Query Pending
  • Console launched while:
    • Search in Progress
    • Search Pending
    • Port Query in Progress
    • Port Query Pending
BlankSearch PendingSearch for this entry is in the search queue.
BlankAction PendingAction for this entry is in the action queue.
BlankPort Query PendingPort query for this entry is in the port query queue.

Date/Time
The date and time the incident is recorded in the Activity Monitor.
Sender ID
This is a unique identifier associated with the intrusion detection system that detected the security event.
Sender Name
The name associated with the intrusion detection system that detected the security event.
Event Category
The event category reported from the intrusion detection system. The following table lists the default categories.
 
ASM_ATTACK ASM_COMPROMISE
ASM_INFORMATIONAL ASM_MISUSE
Signature
This is a unique identifier, assigned to this attack by the intrusion detection system.
Threat IP
The IP address of the device that is the source of the threat (not the device on which the threat is detected).
Threat MAC
The MAC address of the device that is the source of the threat (not the device on which the threat is detected).
Device/Port
The IP address and port of the device where the initiator of the threat is detected.
Rule Name
The name of the action taken.
Action
This column describes the action configured for the rule (disable port, Apply Policy, No Action).
Details
This is brief (human-readable) description of the status for this incident. Refer to the Icon/Status descriptions for status information.
Last Updated
The timestamp for the previous action. This is the date and time when the last action is taken for this same event.
Filtered Traps
This is a count of the duplicate traps filtered. A trap is considered a duplicate if it has the same Sender ID, Threat Category, and Threat IP Address as an incident already in the Activity Monitor list. The trap is filtered if the incident in the Activity Monitor has a status of Search Pending.
Search Time (sec)
The amount of time in seconds ASM searches for the source of the threat.

Right-Click Menu

A right-mouse click on a column heading or anywhere in the table body (or a left-mouse click on the Table Tools  button when visible in the upper left corner of the table) opens a popup menu that provides access to a set of Table Tools you can use to manage information in the table. In addition to these standard Table Tool options, the right-click menu can include the following:

  • Incident Filter - Places the Incident Filter panel in the top half of the Activity Monitor window.
  • Confirm Response - Confirms actions configured for Manual Confirmation Required in the Create Rule Window. This is an alternative to the Confirm Response button.
  • Undo Action - Reverses the most recent action on the selected entries event/action in the Activity Monitor. This is an alternative to the Undo Action button. Refer to the description of the Undo Action button for more information on this option.
  • Cancel Search - Causes the search for the selected entry to be terminated.
  • View Details - Opens the ASM Log Entry Details window. The ASM Log Entry Details window provides additional information about the selected table entry(ies).
  • Delete Table Entry - Removes the selected entries event/action in the Activity Monitor. This is an alternative to the Delete Table Entry button.

Buttons

Cancel Search
Aborts the currently pending search on the selected incident(s).
Confirm Response
This button confirms actions configured for Manual Confirmation Required. You can confirm a response in any operational mode (Search And Respond, Search Only, or Disabled).

When configuring an action that applies for a specific duration, the automatic undo remains suspended, even if the operational mode is set to Search and Respond. Refer to the Create/Edit Rule view for more information on this feature.

Undo Action
This button attempts to reverse the most recent action(s) on the selected entries in the Activity Monitor. When a Custom Undo Action is configured, this button executes the Custom Undo Action. Except for the situation noted below, only actions actually applied can be undone. For example, you cannot undo an action waiting confirmation.
 NOTE:The exception can occur when two actions are defined, a standard ASM action and a custom action. If the standard ASM action fails, the custom action is applied and, if successful, cannot be undone. Under these circumstances, configure your custom action to take into account the potential failure of the standard ASM action.
Delete Table Entry
Removes the selected entries event/action in the Activity Monitor. When the entry removed is the last one for a particular incident, the associated Detail Log information is also deleted.
Clean Up Incidents
Opens the Clean Up Incidents window, where you can select incidents to delete from the Activity Monitor table.

Related Information

For information on related windows:

For information on related tasks:

Top