CISCO NX-OSDEPLOYMENTGUIDE 6.2
Securonix Proprietary StatementThis material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed toany third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, servicemarks, and logos of Securonix and others used herein are the property of Securonixor their respective owners.
Securonix Copyright StatementThis material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form,using any medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client trainingand reference.
Information in this document is subject to change without notice. The software described in this document isfurnished under a license agreement or nondisclosure agreement. The softwaremay be used or copied onlyin accordance with the terms of those agreements. Nothing herein should be construed as constituting anadditional warranty. Securonix shall not be liable for technical or editorial errors or omissions containedherein. No part of this publicationmay be reproduced, stored in a retrieval system, or transmitted in any formor any means electronic or mechanical, including photocopying and recording for any purpose other than thepurchaser's internal use without the written permission of Securonix.
Copyright 2019 © Securonix All rights reserved.
Contact InformationSecuronix, Inc.
14665Midway Rd. Ste. 100, Addison, TX 75001
www.securonix.com
855.732.6649
Revision History
Date Product Version Description
02/14/2019 6.2 First Release
Copyright © 2019 Securonix, Inc. Page | 2
SNYPR 6.2 Deployment Guide
Table of ContentsCisco NX-OS 4
What is Cisco NX-OS? 4
Supported Collection Methods 4
Format 4
Taxonomy 4
Functionality 4
Device Event Field Mapping 5
Device Event SeverityMapping 5
Device Event Categorization 5
Import Activity Data into SNYPR 10
Step 1: Datasource 11
Step 2: Parsing & Normalization 11
Step 3: Conditional Actions 12
Step 4: Identity Attribution 12
Step 5: Summary 13
References 14
Copyright © 2019 Securonix, Inc. Page | 3
SNYPR 6.2 Deployment Guide
Cisco NX-OSThis deployment guide provides information about how the Cisco NX-OS data source events areparsed, normalized, and categorized to SNYPR fields. In particular, it provides the following:
l Device event field mappingl Device event severitymappingl Device event categorization
To download the Cisco NX-OS parser from the Securonix Threat Library, search AvailableResources Types for Deployment by Vendor name or Functionality. Downloading the resourcedownloads the parser along with the applicable dashboards, reports, policies, and threat models.
What is Cisco NX-OS?CISCONX-OS is a network operating system that allows customer to configure Nexus-seriesEthernet switches through APIsmade by cisco systems. The Cisco NX-OS protects your networkagainst degradation, failure, and data loss.
Supported Collection MethodsThemethods of collection is file import.
FormatThe format is capturing groups.
TaxonomySecuronixOpen Event Format (OEF) 1.0 is used. OEF is an event interoperabilitystandard/schema. It provides a set of standardized attributes (fields) for consistent representationof logging output from disparate security and nonCisco NXOSsecurity devices and applications.For additional information, refer to the Data Dictionary section on the Securonix documentationportal.
FunctionalityThe functionality of Cisco NX-OS is operating system (OS). See Use Cases by Functionality for acomplete list of policies for this functionality.
Copyright © 2019 Securonix, Inc. Page | 4
SNYPR 6.2 Deployment GuideCisco NX-OS
Device Event Field MappingThis section lists themappings of SNYPR fields to the device fields.
Cisco NX-OS Field SNYPR Field
Datetime DATETIME
Facility Devicefacility
Severity Deviceseverity
Mnemonic Baseeventid
Description Message
Module and slot Additionaldetails1
Slot Additionaldetails2
Transactionstring Transactionstring1
Device Event Severity MappingThe SNYPR category severity fields aremapped to the device severity fields.
Category Severity Device Severity
Alert Very High=0 ,1;
Critical High=2.3;
Warning Medium=4,5;
Info low=6,7
Device Event CategorizationThis section contains the rules used to categorize the device events.
Copyright © 2019 Securonix, Inc. Page | 5
SNYPR 6.2 Deployment GuideCisco NX-OS
RuleName
RuleSetEventSeverity
CategoryObject
CategoryBehavior
Category
Outcome
Set_Device_Severity_1
Severity equal to 3 High
Set_Device_Severity_2
Severity equal to 4 or 5 Medium
Set_Device_Severity_3
Severity equal to 6 or 7 Low
Set_Device_Severity
Severity equal to 0 or 1 and 2 Critical
Set_Event_Category
Facility equal to AAA andMnemonicequal to AAA_SESSION_LIMIT_REJECT
Facility Communication
Set_Event_Category_5
Facility equal to AAA andMnemonicequal to AAA_NVRAM_UPGRADE_FAILURE
File Operation
Set_Event_Category_6
Facility equal to AAA andMnemonicequal to AAA_PROGRAM_EXIT
Process Stop
Set_Event_Category_7
Facility equal to AAA andMnemonicequal to AAA_NVRAMFAILURE
Memory operation
Set_Event_Category_8
Facility equal to AAM andMnemonicequal to ELS_FC2_GL_SINDEX_LOOKUP_FAILED
Interface scan
Copyright © 2019 Securonix, Inc. Page | 6
SNYPR 6.2 Deployment GuideCisco NX-OS
RuleName
RuleSetEventSeverity
CategoryObject
CategoryBehavior
Category
Outcome
Set_Event_Category_9
Facility equal to AAM andMnemonicequal to ALLOC_FAILED
Memory configuration
Set_Event_Category_10
Facility equal to AAM andMnemonicequal to ASSERTION_FAILED
Process Verify
Set_Event_Category_11
Facility equal to ACLMGR andMnemonic equal to ACLMGR_COMMIT_FAIL
Process operation
Set_Event_Category_12
Facility equal to ACLMGR andMnemonic equal to ACLMGR_NO_ERRDISABLED
Interface communication
Set_Event_Category_13
Facility equal to ACLMGR andMnemonic equal to ACLMGR-2-INITFAIL
Process start
Set_Event_Category_14
Facility equal to ACLMGR andMnemonic equal to MALLOC_ERROR
Memory operation
Set_Event_Category_15
Facility equal to ACLMGR andMnemonic equal to ACLMGR_GSYNC_ERROR
Application Communication
Set_Event_Category_16
Facility equal to ACLMGR andMnemonic equal to ACLMGR_PSS_CORRUPTED
Database create
Copyright © 2019 Securonix, Inc. Page | 7
SNYPR 6.2 Deployment GuideCisco NX-OS
RuleName
RuleSetEventSeverity
CategoryObject
CategoryBehavior
Category
Outcome
Set_Event_Category_17
Facility equal to ACLMGR andMnemonic equal to ACLMGR_STAT_CONSOLIDATION_FAILURE
Application operation
Set_Event_Category_18
Facility equal to ACLMGR andMnemonic equal to ACLMGR_VERIFY_FAIL
Process verify
Set_Event_Category_19
Facility equal to ACLMGR andMnemonic equal to ACLMGR_COMMIT_FAIL
Process operation
Set_Event_Category_20
Facility equal to ACLMGR andMnemonic equal to FAILED_TO_SEND_HEARTBEAT
Facility Communication
Set_Event_Category_21
Facility equal to ACLMGR andMnemonic equal to SERVICE_UP
Facility start
Set_Event_Category_22
Facility equal to ACLMGR andMnemonic equal to SRVEXIT
Facility Stop
Set_Event_Category_23
Facility equal to ACLQOS andDatetime equal to ACLQOS_FAILED
Application execute
Set_Event_Category_24
Facility equal to ACLQOS andMnemonic equal to ACLQOS_INBAND_INTERFACE_FAILURE
Interface scan
Copyright © 2019 Securonix, Inc. Page | 8
SNYPR 6.2 Deployment GuideCisco NX-OS
RuleName
RuleSetEventSeverity
CategoryObject
CategoryBehavior
Category
Outcome
Set_Event_Category_25
Facility equal to ACLQOS andMnemonic equal to ACLQOS_MALLOC_FAILED
Memory configuration
Set_Event_Category_26
Facility equal to ACLQOS andMnemonic equal to PPF_FAILED
Database operation
Set_Event_Category_27
Facility equal to ACLQOS andDatetime equal to ACLQOS_QUEUING_COS2Q_INVALID orACLQOS_QUEUING_INVALID
Policy configuration
Set_Event_Category_28
Facility equal to ACLQOS andMnemonic equal to ACLQOS_DISRUPTIVE_IPV6_UPDATE
Protocol Change
Set_Event_Category_29
Facility equal to ACLQOS andMnemonic equal to ACLQOS_NON_ATOMIC
Policy change
Set_Event_Category_30
Facility equal to ACLTCAM andMnemonic equal to ACL_TCAM_ADJ_EXHAUSTED
Process execute
Set_Event_Category_31
Facility equal to ACLTCAM andMnemonic equal to ACL_TCAM_CONFIG_READ_FROM_DRIVER_FAILED or ACL_TCAM_CONFIG_WRITE_TO_DRIVER_FAILED orACL_TCAM_FLOW_STATS_READ_FAILED
Device access
Set_Event_Category_32
Facility equal to ACLTCAM andMnemonic equal to ACL_TCAM_INIT_FAILED and ACL_TCAM_INIT_REGIONS_FAILED
Process start
Copyright © 2019 Securonix, Inc. Page | 9
SNYPR 6.2 Deployment GuideCisco NX-OS
RuleName
RuleSetEventSeverity
CategoryObject
CategoryBehavior
Category
Outcome
Set_Event_Category_33
Facility equal to ACLTCAM andMnemonic equal to ACL_TCAM_MALLOC_FAILURE
Memory operation
Set_Event_Category_34
Facility equal to ACLTCAM andMnemonic equal to ACL_TCAM_MTS_FAILURE or ACL_TCAM_MTS_REGISTRATION_FAILED orACL_TCAM_NO_ROUTE or ACL_TCAM_PHY_TCAM_READ_FAILED or ACL_TCAM_PHY_TCAM_READ_INVALID and ACL_TCAM_PHY_TCAM_WRITE_FAILED and ACL_TCAM_PSS_FAILURE and PSS_OPEN_FAILEDand RECONS_FAILED
Process operation
Set_Event_Category_35
Facility equal to ACLTCAM andMnemonic equal to ACL_TCAM_INV_TCAM_SYNC_ATTEMPT
Process start
Set_Event_Category_36
Facility equal to ACLTCAM andMnemonic equal to ALLOCFAIL
Memory configuration
Set_Event_Category_37
Facility equal to ACLTCAM andMnemonic equal to FC2ERROR orGENERROR orMTSERROR orPSSERROR or REGISTER_FAILED
Process Execute
Import Activity Data into SNYPRThis section provides screenshots to help guide you through the five step process of importingactivity data into SNYPR.
Copyright © 2019 Securonix, Inc. Page | 10
SNYPR 6.2 Deployment GuideCisco NX-OS
Step 1: DatasourceOn this screen, provide the information to configure the datasource; including the vendor, device,collectionmethod, and parsing technique. The information you provide will differ, depending on thedatasource, and can be seen in the following examples.
Step 2: Parsing & NormalizationOnce you’ve configured the connection, create line filters to parse the data into individual attributesandmap them to corresponding attributes in the Securonix open event schema as described in theDevice Event Field Mapping table above. The number and type of line filters you add depend onthe data source type.
Copyright © 2019 Securonix, Inc. Page | 11
SNYPR 6.2 Deployment GuideCisco NX-OS
Note: This section is typically for referenceonly.When you deploy this datasource, this stephas already been done for you.Theattributesmapped for this datasourceare required in orderto run theusecases that you will enable inStep 5: Summary. For somedatasource, you canadd additional line filters.
Step 3: Conditional ActionsIn this section, you can specify the actions to performwhen eventsmeet conditions specified infilters. Multiple actions can be specified on the same condition.
Note: Theaction filters in this step arealready created for you.You can add additional linefilters as needed.
Step 4: Identity AttributionThis step is used to create rules to correlate activity accounts to user identities. The rules will differbased on the account naming conventions in your environment.
Copyright © 2019 Securonix, Inc. Page | 12
SNYPR 6.2 Deployment GuideCisco NX-OS
Step 5: SummaryFrom this screen, you can review the import, configuration, enable or disable policies, analyze linefilters, create a policy for the datasource, and schedule the job.
Copyright © 2019 Securonix, Inc. Page | 13
SNYPR 6.2 Deployment GuideCisco NX-OS
Referencesl Cisco NX-OS: https://www.cisco.com/c/en_in/products/ios-nx-os-software/nx-os/index.html
Copyright © 2019 Securonix, Inc. Page | 14
SNYPR 6.2 Deployment GuideCisco NX-OS
https://www.cisco.com/c/en_in/products/ios-nx-os-software/nx-os/index.html
Cisco NX-OSWhat is Cisco NX-OS?Supported Collection MethodsFormat
TaxonomyFunctionalityDevice Event Field MappingDevice Event Severity Mapping
Device Event CategorizationImport Activity Data into SNYPRStep 1: DatasourceStep 2: Parsing & NormalizationStep 3: Conditional ActionsStep 4: Identity AttributionStep 5: Summary
References
BookmarksDeviceStep