Cisco Cyber Vision GUI User Guide

Rev. 0.0.4, 17 November 2020 Cisco Systems, Inc.

 Total pages: 158

Cisco Cyber Vision GUI User Guide

Rev. 0.0.4, 17 November 2020

Owner: Cisco IoT

Author: Juliette Maffet

Cisco Systems, Inc.

Trademark Acknowledgments

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: www.cisco.com/go/trademarks.

Third party trademarks mentioned are the property of their respective owners.

The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Publication Disclaimer

Cisco Systems, Inc. assumes no responsibility for errors or omissions that may appear in this publication. We reserve the right to change this publication at
any time without notice. This document is not to be construed as conferring by implication, estoppel, or otherwise any license or right under any copyright or
patent, whether or not the use of any information in this document employs an invention claimed in any existing or later issued patent. A printed copy of this
document is considered uncontrolled. Refer to the online version for the latest revision.

Copyright

© 2020 Cisco and/or its affiliates. All rights reserved.

Information in this publication is subject to change without notice. No part of this publication may be reproduced or transmitted in any form, by photocopy,
microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, for any purpose, without the
express permission of Cisco Systems, Inc.

Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam
San Jose, CA Singapore The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Contents Page 3

Contents
1 About this documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Document purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Warnings and notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1 Cisco Cyber Vision Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Cisco Cyber Vision overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Understanding concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1 Preset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1 Inclusive filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.2 Restrictive filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.3 Negative filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3 Component. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.1 Aggregation of components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.4 Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.5 Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.6 Time span. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.7 Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.8 Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.9 Vulnerability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.10 Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.11 Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.12 Variable accesses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.13 Creating and customizing groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.14 Active Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4 Navigating through Cisco Cyber Vision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.1 General Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2 Explore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.2.1 Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2.2 Preset views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.2.3 Right side panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.3 Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.4 Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.4.1 The Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.4.2 The Calendar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.5 Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.5.1 Monitor mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.5.2 Monitor mode's views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.5.3 New and changed differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Contents Page 4

4.5.4 Review differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

4.5.5 Create a baseline from a default preset. . . . . . . . . . . . . . . . . . . . . . 87
4.5.6 Create a baseline from a group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.5.7 Create a weekend baseline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.5.8 Enable a baseline monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.5.9 Use cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.6 Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.7 Admin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.7.1 System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.7.2 Data management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.7.3 Sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.7.4 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.7.5 Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.7.6 API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.7.7 License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
4.7.8 LDAP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
4.7.9 pxGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
4.7.10 SNORT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.7.11 Integrations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4.7.12 Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
4.8 System statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
4.8.1 Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
4.8.2 Sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
4.9 My settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

About this Page 5
documentation

1 About this documentation

1.1 Document purpose

This user guide presents the concepts (page 7) you will meet in Cisco Cyber Vision and
how to navigate (page 57) within the application by explaining available features.
It takes into consideration the GUI with the highest license level (Advantage) and involves
all available users roles (from full rights to read-only).
This manual is applicable to system version 3.2.0.
IMPORTANT
Cisco Cyber Vision EAP is a snapshot of the ongoing development process and is in the
qualifying phase. Testing for this program is under progress and may contain features that are
incomplete or may change before the next full release.

1.2 Warnings and notices

This manual contains notices you have to observe to ensure your personal safety as well
as to prevent damage to property.
The notices referring to your personal safety and to your property damage are
highlighted in the manual by a safety alert symbol described below. These notices are
graded according to the degree of danger.
WARNING
Indicates risks that involve industrial network safety or production failure that could possibly
result in personal injury or severe property damage if proper precautions are not taken.

IMPORTANT
Indicates risks that could involve property or Cisco equipment damage and minor personal
injury if proper precautions are not taken.

Note
Indicates important information on the product described in the documentation to which
attention should be paid.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Introduction Page 6

2 Introduction
2.1 Cisco Cyber Vision Installation
The Cisco Cyber Vision GUI (Graphical User Interface) is an integral part of Cisco Cyber
Vision. Thus, you cannot use it without prior installation and initialization of:
1. The sensors, to capture traffic and visualize data on the GUI.
2. The Center, to configure network interfaces that collect data from the sensors and
install Cisco Cyber Vision software.
If not installed yet, please refer to the corresponding quickstart guides.
If everything is ready to start using the GUI, note that at least one sensor has to be
enrolled so that you can enjoy your first experience with the GUI. To do so, please refer
to Managing the sensors (page 116) section in this documentation.

2.2 Cisco Cyber Vision overview

One of the aims of the Cisco Cyber Vision GUI (Graphical User Interface) is to provide an
easy-to-use, real-time visualization of industrial networks. Access to some features may
depend on the license subscribed and on the user rights assigned. The application is
collaborative; which means that actions performed may have an impact on the users of
the platform and be visible to them.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 7
concepts

3 Understanding concepts
3.1 Preset
As knowing an industrial network can be really challenging, presets have been created to
help you navigating through its numerous data.
A preset is a set of criteria. This concept is a fundamental of Cisco Cyber Vision that will
allow you to explore the network in its details from what you need to see. For example, if
you are an automatician you could be interested in knowing which PLCs are writing
variables. To reach this data, you just need to access one Preset (e.g. OT) and select two
criteria (e.g. PLC and Write Var). Think a preset as a magnifying glass in which you can see
details of a big network by choosing the metadata processed by Cisco Cyber Vision that
meet your business requirements. Several types of view are available to give you full
visibility on the results and from different perspectives.
Some generic presets are available by default. You can start by playing with these ones to
see what they have to offer. They have been created according to the recommendations
and big categories listed in Cisco's playbooks which are the following:
■ Basics, to see all data, or filter data to IT or OT components.
■ Asset management, to identify and make an inventory of all assets associated with
OT systems, OT process facilities and IT components.
■ Communications management, to see flows according to their nature (OT, IT, IT
infrastructure, IPV6 communications, Microsoft flows).
■ Security, to control remote accesses and insecure activities.
■ Control system integrity, to check the state of industrial processes.
■ Network quality, to see network detection issues.
The category My Preset contains customized presets. You can create presets using
criteria to meet your own business logic. However, as Cisco Cyber Vision is a collaborative
application, it shouldn't be forgotten that customizations on presets are persistent and
impact other users.

3.2 Filters
A preset is defined with criteria to be matched. Criteria are set of filters that are used to
refine a dataset.
Criteria are mainly based on tags, which are metadata of your network on Components
and Activities. However, if applicable, criteria can also rely on networks (if created using
IP addresses or VLAN IDs), groups of components (if created) and sensors (if several are
used by the Center). Thus, filters are distributed under the following menus:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 8
concepts

Network filtering:
If you deploy the Networks menu, a message displays explaining how to use it and
indicating that this category of filters will apply to the selected preset only.

Because this filter is based on IP addresses and VLANs used on the network, it is the
thinest way to manage your dataset by subnetworks (a sensor may capture traffic from
several subnetworks).
Data filtered with an a subnetwork's IP address:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 9
concepts

Tip: Afterward, you can create groups and presets based on this filter.
Tag filtering:
If you deploy the component and activity tags menus, you will find categories that
contain tags.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 10
concepts

Besides, the fact that selections of tags is flexible and precise (you can select tags
individually, or collectively by selecting their category), it's useful to know how filtering
rules are applied to understand how to use them. Refer to the subsections of this
chapter.

3.2.1 Inclusive filtering

Inclusive filtering relies on the selection of tags of the same type (there are two types of
tags: component tags and activity tags).
Inclusive filtering sticks to the "or" rule, that is when you select several tags of the same
type, elements will be added in the corresponding list even if they partially respond to
the request. By partially, it is intended that a result found out of an inclusive filtering
contains elements marked with the tag requested and any other tag. As a consequence,
once you have selected a tag, the more tags you add to the selection, the more results
you get. This is not the case with restrictive filtering.
When using inclusive filtering, preferably use the list view which corresponds to your
selection (i.e. the Component list or the Activity list).
In the example below, we first view general results on the Dashboard and then switch to
the Component list view. In such cases results won't be relevant if positioned on the
Activity list view. For more information about the different views available, refer to Preset
views (page 61).
Example:
The Dashboard of the Preset All data shows 147 components and 299 activities on the
network.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 11
concepts

1. I select under the Component tags menu Device Level 0-1 (1 component) and Device
Level 2 (31 components).
2. As results, I get 29 components in the Component list.
Note
You expect a result of 32 components, instead you get 29. This is because of
aggregated components. For more information, refer to Aggregation of
components (page 21).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 12
concepts

3.2.2 Restrictive filtering

Restrictive filtering relies on the selection of tags of different types (there are two types
of tags: component tags and activity tags).
Restrictive filtering sticks to the "and" rule, that is, when you select tags of different
types, and thus make a cross-selection, an element will display only if it answers
positively to both requests: If an element is marked with the tag requested in the
component tags menu, but is not marked with the tag requested from the Activity tags
menu, it is rejected. As a consequence, the more tags you select, the less results you
get...at least in the first instance. We will explain why below.
When using restrictive filtering, preferably use a view with crossed data such as the
Dashboard and the Map Expert/Simple.
In the example below, results appear on the Dashboard but can also be seen on the
Maps. Results displayed in the Component and Activity list views can be irrelevant or
preferred for advanced use. For more information about the different views available,
refer to Preset views (page 61).
Example:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 13
concepts

The Dashboard of the Preset All data shows 147 components and 299 activities on the
network.

1. I select Device - Level 0-1 and Device - Level 2 under the Component tags menu.
2. As results, I get 29 components and 96 activities on the Dashboard.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 14
concepts

Up to here, an inclusive filtering is performed because the selection is limited to tags

of the same type. This selection means "I want to see all components categorized as
Device - Level 0-1 and 2". Thus, the components marked with the corresponding tags
display, as well as their activity.
3. I select Control system behavior under the Activity tags menu.
4. As results, I get 28 components and 27 activities on the Dashboard.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 15
concepts

The number of results decreases because a cross-selection on different types of tags is

performed. This selection means "I want to see the control system behaviors on the
Components categorized as Device - Level 0-1 and 2". Thus, only components marked
with the corresponding tags AND having such activities, display.
5. I select Protocol under the Activity tags menu.
6. As results, I get 29 components and 88 activities on the Dashboard.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 16
concepts

The number of components and activities increase again. Why is it? Because I'm
adding one criteria to my request and enlarging the spectrum of the result research.
This selection means "I want to see control system behaviors and protocols on the
Components categorized as Device - Level 0-1 and 2".

3.2.3 Negative filtering

Negative filters are used to reduce a list from elements you don't need. To set a tag as
negative, you just need to click twice on a tag from the list, and a red cross displays.
As you set a tag as negative, it may be rejected from the list of components or activities.
However, a component or an activity is removed only if there is a perfect match between
the tags from the list and the ones attached to the element. That is, if the element is
marked with an additional tag, it will remain in the list. If you want to remove it, then you
must set the other tag as negative too.
The reason of this behavior is that a negative filter is strict; meaning it applies only if the
match is complete. If it's not, then it's considered that data may still be useful. That's why
you need to explicitly say to the application "I don't need this data" by setting a precise
tag as negative.
Example:
In the Preset All data, we set broadcast and multicast tags as negative. Accordingly,
activities marked with these tags shouldn't display on the Activity list. However, as you'll
probably see in your instance, some are still in the list.
Broadcast and multicast tags set as negative:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 17
concepts

The Activity list when setting broadcast and multicast tags as negative:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 18
concepts

Any activity tagged as broadcast/multicast is removed from the list if standing alone.
Although, activities marked with other tags (ARP, Low Volume, VNET/IP in the example
above) appear.
Let's try to set VNET/IP as negative too.
Broadcast, multicast and VNET/IP tags set as negative:

The Activity list when setting broadcast, multicast and VNET/IP tags as negative:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 19
concepts

The VNET/IP tag being set as negative, activities tagged with Broadcast, Multicast and
VNET/IP disappear from the list.
Activities marked with one of these three tags, plus any other tag (such as Low Volume or
ARP above) remain in the list.
This behavior is to allow you to keep reducing your list gradually and don't miss any
potential important data in the meantime.

3.3 Component
A component represents an object of the industrial network like a PLC, a PC, a SCADA
station, a network interface, etc. In the GUI, a component is shown as an icon in a box,
either the manufacturer icon (if detected), or a more specific icon (for instance for a
known PLC model), a default cogwheel, a planet for a public IP, etc.
Some examples of icons:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 20
concepts

Manufacturers icons

SIEMENS PLC icons A S7-300 PLC.

A Scalance X300 switch.

Default cogwheel The manufacturer has not been detected yet by Cisco Cyber Vision.
OR
The manufacturer has not been assigned a specific icon in Cisco's icon library.

Public IP

Broadcast Broadcast destination component.

Components can have a black and/or red counter badge:

■ Black counter badges display the number of aggregated components. Aggregations

are represented under a single component. If you click on an aggregation, the detail
of components will appear on the right side panel. Aggregations are visible on the

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 21
concepts

Maps Expert and Simple, and on the Component list. For more information, refer to
Aggregation of components (page 21).
■ Red counter badges display the number of vulnerabilities detected on the
component. For more information, refer to Vulnerabilities (page 37).
In Cisco Cyber Vision, components are detected from the properties (page 36) MAC
address and (if applicable) IP address.
Note
MAC addresses are all physical interfaces inside the network. Instead, attribution of IP
addresses relies on the network configuration.

To be detected by Cisco Cyber Vision, an object needs to have some network activity
(emission or reception). Thanks to Deep Packet Inspection technology, detailed
information about a component is provided in the GUI. Thus, information like IP address,
MAC address, manufacturer, first and last activity, tags, OS, Model, Firmware version
depends on the data retrieved from the network. Data originates from the
communications (i.e. flows (page 26)) exchanged between the components.
When you click a component on a Map or a list, a side panel (page 71) opens on the right
with the component detailed information.

3.3.1 Aggregation of components

An aggregation is a cluster of components that have been brought together because they
have similar properties. In fact, components can share an IP address, a MAC address or a
Netbios name. Enlightening such aggregations allows you to spot the type and function
of such clusters of components in the industrial network. Thus, aggregations can uncover
devices such as PLCs and routers, several Ethernet interfaces with the same Netbios
name, and broadcast communications.
The different types of aggregations are defined in Cisco Cyber Vision as follow:
■ Several components have the same MAC and the same IP addresses. The
aggregation is qualified as rack.
■ Several components have the same MAC. These components may be located behind
a router. The aggregation is qualified as router by default.
■ Several components have the same Netbios name. These components are a same
machine with different network interfaces. Thus, the aggregation is qualified as
Netbios.
■ Several components have the same MAC (FF:FF:FF:FF:FF:FF) and a broadcast
address -usually the last address of a subnet mask (e.g. in the 192.168.1.0/24
network, the broadcast address is 192.168.1.255) or the IP address 255.255.255.255.
Since this type of communications often produces network pollution, it is

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 22
concepts

represented separately, with its own components. The aggregation is qualified as

broadcast.
■ Particular case: Several components have the same IP address. It is assumed that
these components are actually a single component seen through different sensors.
The aggregation is qualified as IP.
Aggregations of components are fully visible in the Map - Simple and the Component list
views. The Map - Expert view, tough, only shows aggregations by IP address,
independently of the aggregation types listed above.
In any of these views, aggregations are enlightened thanks to a black counter badge.
Black counter badges display the number of aggregated components.
Aggregations are represented under a single component. If you click on
an aggregation, the detail of components will appear on the right side
panel.
Examples:
Rack type representation (same MAC, same IP):
A rack type aggregation's right side panel in the Map - Simple view:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 23
concepts

In the Map - Simple view, components are aggregated by MAC and IP addresses and
Netbios name. Here you have an example of how racks are represented.
Racks, which special characteristic is to have components with the same MAC and the
same IP addresses, are especially well-handled in Cisco Cyber Vision's Map - Simple view.
The PLC is represented onwards (1), and its modules are listed below (2).
A rack type aggregation's right side panel in the Map - Expert view:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 24
concepts

In the Map - Expert view, components are aggregated by IP address. The same rack as
above is used in this example.
The interest of checking an aggregation's right side panel in the Map - Expert view is that
you can see specific information about each component of the aggregation.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 25
concepts

Summary of the different types of aggregation per view:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 26
concepts

View Visibility Aggregation Aggregation type

(black counter badge)

Dashboard No by IP, MAC, NetBIOS Rack, router, NetBIOS, Broadcast, IP aggregation

Map - Expert Yes by IP IP aggregation

Map - Simple Yes by IP, MAC, NetBIOS Rack, router, NetBIOS, Broadcast, IP aggregation

Purdue Model No - -

Component list Yes by IP, MAC, NetBIOS Rack, router, NetBIOS, Broadcast, IP aggregation

Activity list No - -

Mini Map No - -

3.4 Activity
An activity is the representation of the communications exchanged between two
components (page 19). It is recognizable on the Maps by a line (or an arrow if the source
and destination components are known) which links one component to another:

An activity between two components is actually a simplified view of the flows (page 28)
exchanged. You can have many types of flows going in both directions inside an activity
represented in the Maps.
When you click on an activity in a Map, a right side panel opens, containing:
■ The date of the first and last communication between the two components.
■ Details about the components (name, IP, MAC and if applicable the group they are
part of, their criticality).
■ The tags on the flows.
■ The number of flows.
■ The number of packets.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 27
concepts
■ The volume of data exchanged.
■ The number of events.
■ A button to access the technical sheet (page 72) that shows more details about tags
and flows.

Having a component in your Map with no activity does not mean that it did not have any
interaction. In fact, a component can only be detected if at some point it has been
involved in a network activity (communication emission/reception). Lack of activity can
mean that the other linked component is not part of the preset selected and so doesn't
display.
Aggregate activities:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 28
concepts

Use the Aggregate activities button at the lower left side of the Map view to turn on/off
the simplified view of the activities between groups. This feature is turned on by default.

3.5 Flow
A flow is a single communication exchanged between two components. A group of flows
forms an activity (page 26), which is identifiable in the Maps by a line that links one
component to another. You can see flows by accessing a Technical sheet (page 72) and
then by clicking the Activity tab, or directly by clicking the number of flows on the right
side panel (page 71).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 29
concepts

The Activity tab contains a list of flows which gives you detailed information about each
single flow: number of flows in the activity, source and destination components (if
known), ports used, first and last activity, and tags which characterize each flow.

The number of flows can be very important (there could be thousands). Consequently,
filters are available in the table to sort flows by typing a component, a port, selecting
tags, etc.

You can click on each flow in the list to have access to the flow's technical sheet for
further information about the flow's properties and tags.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 30
concepts

3.6 Time span

Because Cisco Cyber Vision is a real-time monitoring solution, the Map is continuously
updated with network data. Thus, you can visualize the network activity during a defined
period of time by selecting a time span.
Time span is available on each preset's view.

Note
No data display is often due to a time span set on an empty period. Remember to first set a
long period of time (such as This Year) before considering a troubleshooting.

Time span can be toggled between two modes:

■ Live mode enabled is meant to see everything that had happened from the selected
period of time or a custom period up to now. You can use this mode so less data
displays on the view you're on, and watch data evolution in real-time (data updates
each 10 seconds). It is advised to use this mode for short period of time.
To set the live mode, click the Live button and select one of the options.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 31
concepts

■ Live mode disabled is meant to see everything that has happened during the
selected period of time by setting its start and end. This mode is to view historical
data by selecting a period of time from the past in the calendar. You can use this
mode for example to check the network activity in case of on-site intrusion or
accident. This mode allows you to select any period of time and move around thanks
to a player.
1. Click the period of time to set it in the calendar. Click the select time button to set a
more precise period of time. Once set, the length of the period selected displays in
brackets.
Note
The value is set to 1 hour the first time you connect to Cisco Cyber Vision. Next
times, the last selection when leaving the session will be kept.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 32
concepts

2. Once the period of time selected in the disabled live mode, use the buttons available
on the right to move through the period of time.
The buttons to move through time are settable by selecting a coefficient under the
Speed button (see corresponding values below).
Press Play to play data in the past. Data moves according to the speed set and refresh
each 10 seconds. If you don't press pause, data will keep playing until the live mode is
reached (the Live button turns to red in this case). Otherwise, you can use the Resume
to Live button.

Buttons to move within the period of time selected:

■ Buttons to move through time (1)

■ Play/Pause button (2)
■ Resume to Live button (3)
■ Speed button (4)

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 33
concepts

The Speed button's coefficient in minutes/seconds:

10s x 1 = 10s
10s x 2 = 20s
10s x 4 = 40s
10s x 8 = 1m20s
10s x 16 = 2m20s
10s x 64 = 10m60s
10s x 128 = 21m30s

Recommendations:
Generally, you can set the time period to 2 days. This setting is convenient to have an
overall view of most supervised standard network activities. This includes daily activities
such as maintenance checks and backups.
However, there are many cases where the time frame should be adjusted:
■ Live mode enabled:
♦ Set a period of 5 minutes to have more visibility on what is currently
happening on the network.
♦ Set a period of a few hours to have a view of the daily activity or set
a time to see what has happened during the night, the week-end,
etc.
■ Live mode disabled:
♦ Set limits to visualize what happened during the night/week-end.
♦ Set limits to focus on a time frame close to a specific event.

3.7 Tags
What are tags?

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 34
concepts

Tags are meaningful labels that succinctly describe a

network. They can be applied to components or activities.
Some of them are red because they are considered as
important.
Each tag has a description and an icon color which
correspond to its category.

More specifically, tags are metadata on components (page 19) and activities (page 26).
Tags are generated according to the properties (page 36) of components and activities.
Thus, there are two types of tags:
■ Component tags (1) which describe the functions of the component and are
correlated to its properties.
■ Activity tags (2) which describe the protocols used and are correlated to its
properties. An activity tag is generated at the level of a flow and synthesized at the
level of an activity (which is a group of flows between two components).
Each tag is classified under categories, which you can find in the filtering area, and
applies to a component or an activity.
The component tags categories (Device - Level 0-1, Device - Level 2, etc.) and some tags
(IO Module, Wireless IO Module) in the filtering area:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 35
concepts

Note
Device levels are based on the definitions presented in the ISA-95 international standard.

What are tags used for?

Exploration of the network and Cisco Cyber Vision is mainly lead by tags. Criteria set on
presets are significantly based on tags to filter (page 7) the different views.
Also, tags are used to define behaviors (i.e. in the Monitor mode) inside an industrial
network when combined with information like source and destination ports and flows
properties.
Where to find tags?
You will find tags almost everywhere in Cisco Cyber Vision. From criteria, which are based
on tags to filter network data, to the different views available. Views take different
perspectives and have different approaches concerning tags. For example, the dashboard
shows the preset's results bringing out tags over other correlated data, while a
component list highlights components over data like tags. Refer to the different types of
view (page 57) to know more about them.
If you want to know more about a tag, access the Basic tab inside a technical sheet (page
72) to see the tags' definition marked on a component and an activity.
Some definitions of tags inside an activity's technical sheet:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 36
concepts

3.8 Properties
What are properties?
Properties are information such as IP and MAC addresses, hardware and firmware
versions, serial number, etc. that qualify components and flows. The sensor extracts
flows properties from the packets captured. The Center then deduces components
properties from flows properties. Some properties are normalized for all components
and some properties are protocol or vendor specific.
What are properties used for?
Besides from providing further details about components and flows, properties are
crucial in Cisco Cyber Vision to generate tags (page 33). And combination of properties
and tags are used to define behaviors (i.e. in the Monitor mode) inside the industrial
network.
Where to find properties?
Properties are visible from components' right side panels (page 71) and technical sheets
(page 72) under the tab Basics.
A component's properties inside its technical sheet with normalized properties on the left
column, and protocol and vendor specific properties on the right column:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 37
concepts

Note
Protocol and vendor specific properties evolve as more protocols are supported by Cisco Cyber
Vision.

3.9 Vulnerability
What are vulnerabilities?
Vulnerabilities are weaknesses detected on components that can be exploited by a
potential attacker to perform malevolent actions on the network.
Vulnerabilities are detected in Cisco Cyber Vision thanks to rules stored in the Knowledge
DB. These rules are sourced from several CERTs (Computer Emergency Response Team),
manufacturers and partner manufacturers (Schneider, Siemens...).
Technically, vulnerabilities are generated from the correlation of the Knowledge DB rules
and normalized component properties. A vulnerability is detected when a component
matches a Knowledge DB rule.
IMPORTANT
It is important to update the Knowledge DB (page 114) in Cisco Cyber Vision as soon as possible
after notification of a new version to be protected against vulnerabilities.

What are vulnerabilities used for?

Example of a Siemens component's vulnerability visible on its technical sheet under the
Security tab:

Information displayed about vulnerabilities (1) includes the vulnerability type and
reference, possible consequences and solutions or actions to take on the network. Most
of the time though, it is enough to upgrade the component firmware. Some links to the
manufacturer website are also available for more details on the vulnerability.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 38
concepts

A score reports the severity of the vulnerability (2). This score is calculated upon criteria
from the Common Vulnerability Scoring System or CVSS.
Criteria are for example the ease of attack, its impacts, the importance of the component
on the network, and whether actions can be taken remotely or not. The score can go
from 0 to 10, with 10 being the most critical score.
You also have the option to acknowledge a vulnerability (3) if you don't want to be
notified anymore about it. This is used for example when a PLC is detected as vulnerable
but a firewall or a security module is placed ahead. The vulnerability is therefore
mitigated. An acknowledgment can be canceled at any time. Vulnerabilities
acknowledgment/cancelation is accessible to the Admin, Product and Operator users
only.
Where to find vulnerabilities?
Vulnerabilities are accessible through the Vulnerability dashboard (page 60) of a preset.
Also, you can see vulnerabilities through the Component list. Sort the vulnerability
column to bring vulnerable components up:

Moreover, vulnerabilities are pointed out in the Maps by a component with a red counter
badge (4). If you click this component, its side panel opens on the right with the number
of vulnerabilities evidenced in red (5).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 39
concepts

Clicking the vulnerabilities displayed in red (5) (in the figure above) opens the
component's technical sheet with further details about all its vulnerabilities:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 40
concepts

However, you'll be notified each time a component is detected as vulnerable by an event

(page 40). One event is generated per vulnerable component. An event is also generated
each time a vulnerability is acknowledged or not vulnerable anymore.

3.10 Events
Events are used to identify and keep track of significant activities on the network and on
Cisco Cyber Vision. It can be an activity, a property or a change whether it concerns
software or hardware parts.
For instance, an event can be:
■ A wrong password entered on Cisco Cyber Vision's GUI.
■ A new component which has been connected to the network.
■ An anomaly detected on the Monitor Mode.
■ A component detected as vulnerable.
Events are visible in the Events page (page 76).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 41
concepts

New events may be generated when the database is updated (in real-time or each time
an offline capture is uploaded to Cisco Cyber Vision) with a severity level (Critical, High,
Medium and Low) customizable through the Events administration page (page 126).

3.11 Credentials
Credentials are logins and passwords that circulate between components over the
network. Such sensitive data sometimes carry cleartext passwords when unsafe; and if
credentials are visible on Cisco Cyber Vision, then they're potentially visible to anyone on
the network. Credentials visibility on Cisco Cyber Vision should trigger awareness
towards actions to be taken to properly secure the protocols used on a network.
A component's right side panel showing the number of credentials detected:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 42
concepts

Credential frames are extracted from the network thanks to Deep Packet Inspection.
Credentials are then accessible from a component's technical sheet under the security
tab. You will find the number of credentials found (1), the protocol used (2), and the user
name and password (3) with a button to unveil it (4). If a password appears in clear text,
then action should be taken to secure it whether it is hashed or not.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 43
concepts

An unsafe password:

A hashed password:

3.12 Variable accesses

What are variable accesses?
A Variable is a container that holds information in an equipment such as a PLC or a data
server (i.e. OPC data server). There are many different types of variables depending on
the PLC or the server that is in use. A variable can be accessed by the network by using a
name or a physical address in the equipment memory. Variables are exchanged on the
industrial network between PLCs and servers for process control and supervision
purposes. Variables can be read or written in any equipment according to need.
A variable can be for example the ongoing temperature on an industrial oven. This value
is stored in the oven's PLC and can be controlled by another PLC or accessed by a SCADA
system for supervisory purpose. The same value can be read by another PLC which
controls the heating system.
What are variable accesses used for?
Reading and writing variables inside a network is strictly controlled. Particular attention
should be paid when an unplanned change occurs, especially when it comes to a new
written variable. Indeed, such a behavior could be symptomatic of an attacker
attempting to take control of the process. Cisco Cyber Vision reports the variables'
messages detected on the equipment of the industrial network.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 44
concepts

Variable accesses are detailed inside component's technical sheet under a sortable table
list, containing:
■ The variable's name.
■ Its type (WRITE or READ, but not the value itself).
■ Which component have accessed the variable.
■ The first and last time the component has accessed the variable.

The mention "2 different accesses" (1) indicates that two components have read the
variable.
Where to find variable accesses?
You can see the number of variable accesses per component on the component list view.
You can sort the var column by ascending or decreasing number.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 45
concepts

Clicking a component from any view opens its right side panel where the number of
variables on this component is indicated.

A detailed list of variable accesses is available under the automation tab on the
component's technical sheet (see the first figure above) and on PLC reports.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 46
concepts

3.13 Creating and customizing groups

Accessibility: Admin, Product and Operator users

You can organize components into groups as you wish to add meaning to your network
representation. For example, this can be done according to the components' location,
process, severity, type, etc. You can also create nested groups inside a parents group,
that is, add a group into another group to create several layers and structure the data.
You can use this feature inside the Maps and the Components views.

To create a group:

1. Select one or more components in a Map or the Components view.

Tip: To select several components at once in a Map, click the components while
pressing Shift, or draw a selection box while pressing Ctrl. In the Components view,
use the check boxes.
A My Selection panel opens on the right.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 47
concepts

2. Click Manage selection.

3. Click Create a new parent group.
A Create a new parent group window pops up:

4. Customize the group by giving it a description, defining its industrial impact (e.g. as
opposed to a print server, a PLC that controls a robotic arm is highly critical),
changing its color and adding properties.
5. In addition, you can add the group to a parent group if already created.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 48
concepts

Note: Groups may lose the view of Components according to the view you are on. For
instance, when switching from the Map - Expert to the Map - Simple view, components
may disappear from the group because components aggregation is different.

To create a parent group:

There are several ways to create a hierarchy among groups:
■ Select two groups and create a group as indicated before.
■ Select a component and move it into a group clicking the Move selection to existing
group button.
■ Select a group and move it to another group clicking the same button.
Add group properties:
Adding properties to a group can be useful to store specific information. The labels
available fit the 62443 standard which specifies policies and requirements for system
security. You can also add custom properties.
To add properties to a group, select a group in the Map and click Edit or Add properties.
Then, choose/define a label and add a value.

Aggregate activities:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 49
concepts

Use the Aggregate activities button at the lower left side of the Map view to turn on/off
the simplified view of the activities between groups. This feature is turned on by default.

Lock/unlock a group:
Locking a group:
■ prevents the group and its inner components from changing position when
performing an Autolayout.
■ prevents components from being added to or removed from the group.
■ prevents a group to be deleted.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 50
concepts

To switch on/off the Lock toggle button,

1. Click a group.
2. Click the Lock button on the group's icon.
or
Click the Edit button on the group's right side panel and toggle on/off the Lock
button.

Groups used as criteria to filter data in Cisco Cyber Vision:

Any groups created will be added into the filters (page 7) to help you refine the dataset
and compose presets.

3.14 Active Discovery

Active Discovery is a feature to enforce data enrichment on the network. As opposed to
passive traffic capture principles on which Cisco Cyber Vision is relying on and was
originally built around, Active Discovery is an optional feature that explores traffic in an
active way.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 51
concepts

The reason is, some components are sometimes not found by Cisco Cyber Vision because
those devices haven't been communicating from the moment the solution started to run
on the network. Moreover, some information like firmware version can be difficult to
obtain because they are not exchanged often between components.
With Active Discovery enabled on selected presets, broadcast messages will be sent to
the targeted subnetwork through the sensors to speed up network discovery. Then,
returned responses will be analyzed through Deep Packet Inspection and tagged as
Active Discovery and additional information. Thus, components and activities will be
clarified with additional and more reliable information than what is usually found
through passive DPI.
Active Discovery's jobs are launched every 10 minutes. In case Active Directory is enabled
on several presets that use the same sensor, the job is executed only once to avoid traffic
load. You can also choose which broadcast protocol will be active on the subnetwork.
Active Discovery supports three broadcast protocols, which are EtherNet/IP (Rockwell),
and Profinet and S7 Discovery (Siemens).
Active Discovery is available on:
■ Cisco Catalyst IE3400 Rugged Series Switches.
■ Cisco Catalyst IE3300 10G Rugged Series Switches.
■ Cisco IC3000 Industrial Compute Gateway.
To use Active Discovery, you must first perform a few configurations:
1. Enable the feature on a sensor, and set the subnetwork to be monitored.
2. Enable Active Discovery on a preset using the sensor set with Active Discovery and
choose which protocols to be broadcasted on the subnetwork.

To enable Active Discovery on sensors:

1. On Cisco Cyber Vision, navigate to Admin > Sensors.

The sensors list displays.
2. Check the sensors' Active Discovery status:
♦ Unavailable: This sensor model does not support Active Discovery or
IOx app is not up-to-date on the device.
♦ Available: IOx app's version is up-to-date on the device and using
Active Discovery is possible.
♦ Running: The sensor is scanning the network sending broadcast et
the moment.
The sensor's Active Discovery status must be in Available to continue
the procedure.
3. Click the Active Discovery button.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 52
concepts

The Active Discovery configuration window pops up.

4. Set the interface corresponding to a subnetwork monitored by the sensor filling the
following information:
■ The subnetwork IP address.
■ The subnet mask.
■ The VLAN.
You can set as many interfaces as subnetworks monitored by the sensor.
1. Click Configure.

To enable Active Discovery and set protocol scanning on a preset:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 53
concepts

Active Discovery is not available on default presets (under Basics). To use it, you must use
a custom preset (under My Presets) or create a new preset. You can create it from a
default preset.
1. Access or create a custom preset in the Explore menu.

In the example, we use the IE3400 lab preset that we created with the sensor filter
selected, previously configured with Active Discovery.
2. Click the Edit Active Discovery settings button on the top left corner.

The Active Discovery settings window pops up.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 54
concepts

3. Use the toggle button to enable Active Discovery.

4. Use the toggle buttons to enable the protocols you want the subnetwork to be
scanned with.

To identify elements detected by Active Discovery:

1. In the criteria area > Activity tags > Network Analysis, select the Active Discovery tag.
All components and activity tagged as Active Discovery, and so detected thanks to
the feature, display.
Elements found and other related elements detected by Active Discovery in the Map -
Expert view:

Components, activities and sensors detected by Active Discovery are tagged as

Active Discovery.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 55
concepts

Components related to Active Discovery scanning in the Component list view:

■ Components discovered thanks to Active Discovery are tagged as Active Discovery.

This is not the case here because these components had already been detected
thanks to passive traffic capture. However, they are shown here because their
activities have been detected through Active Discovery.
■ Sensors are in passive traffic capture often tagged as Engineering Station or Scada
Station, which is incorrect. With Active Discovery, these tags are removed and the
sensor is tagged as Cisco Cyber Vision Sensor.
Activities related to Active Discovery scanning in the Activity list view:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Understanding Page 56
concepts

Activities detected by Active Discovery, which is meant to enrich data, are tagged as
Active Discovery and as S7 Discovery, EtherNet/IP or Profinet in addition to other
tags detected by passive traffic capture.
Tip: Register this selection as a preset to be informed about any new Active Discovery's
elements found on the subnetwork.
Tip: You can see all Active Discovery effects on the network consulting the Active
Discovery Activities preset. You will see activities tagged as Active Discovery, the
components involved, and the sensors.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 57
Cyber Vision

4 Navigating through Cisco Cyber Vision

4.1 General Dashboard
This page is where you'll land as logging in Cisco Cyber Vision.
The General Dashboard displays an overview of the industrial network's state and
evolution over the last month.

The navigation bar on the left gives access to all other main pages of Cisco Cyber Vision:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 58
Cyber Vision

■ Explore (1): This button leads to the overview of all presets (page 59) by defaults or
configured.
■ Reports (2): This button leads to the Reports page (page 75) to export valuable
information about the industrial network.
■ Events (3): This button leads to the Events page (page 76) which contains graphics
and a calendar of all events generated by Cisco Cyber Vision.
■ Monitor (4): This button leads to the Monitor mode (page 79) to perform and
automatize data comparisons of the industrial network.
■ Search (5): This button leads to the searching area (page 109) to look for precise data
in the industrial network.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 59
Cyber Vision

4.2 Explore
Presets is a page containing an overview of all presets existing in Cisco Cyber Vision
whether they are present by default or part of users' customizations. You can access this
page by clicking the Explore button on the left navigation bar.

The top navigation bar (1) allows you to access the different presets (2) and then reach
their different views (page 61).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 60
Cyber Vision

4.2.1 Vulnerabilities
The vulnerability dashboard gives you a visual representation and a list of the
vulnerabilities (page 37) detected within a preset.
IMPORTANT
It is important to update the Knowledge DB (page 114) in Cisco Cyber Vision as soon as possible
after notification of a new version to be protected against vulnerabilities.

The pie chart presents the 10 most matched vulnerabilities within the preset, that is, the
vulnerabilities that have affected more components. You can click the number of
components detected to see the components affected.
On the right, you'll see a summary of the total number of components that are
vulnerable in the preset selected.
Below, you have a list of all the vulnerabilities found in the preset with sort icons to sort
data by alphabetical order or by ascending/descending order, and filter icons which
opens a field to type a specific data.
For each vulnerability, the following data are displayed in columns:
■ The vulnerability name
■ Its CVE ID (world unique identifier for a Common Vulnerability Exposure)
■ Its CVSS score (Common Vulnerability Scoring System)
■ The components affected by the vulnerability

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 61
Cyber Vision

Clicking an element in the lists opens its right side panel (page 71) which leads to more
details about the vulnerability, including its link to the National Vulnerability Database.

4.2.2 Preset views

There are several types of views which relate to different perspectives:
■ The dashboard:
The dashboard (page 62) is a unique view which is displayed by default when
accessing a preset. It offers an overview of data found by the preset. The fact that it's
a tag-oriented view allows you to have a general insight of the network without
going into deep and technical details.
■ Maps:
Maps are visual data views of the industrial network that gives you a broad insight of
how components are connected to each others. There are three different maps: The
Expert (page 68), the Simple (page 70) and the Purdue Model (page 70).
■ Lists:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 62
Cyber Vision

Lists are views specialized whether on components or activities. These views

provides classic but powerful data filtering to match what you are looking for. For
more information, refer to the component and activity lists (page 65).
Views are always structured as shown below:
■ The top navigation bar (1), which allows you to easily switch between the different
views thanks to its menu.
■ The filtering area on the left (2), which allows you to modify and manage the preset
by adapting criteria and registering changes.
■ The view you're on (3), which dynamically evolves as you change criteria.
Example of the Controllers preset on the dashboard view:

4.2.2.1 Dashboard

The dashboard is the view by default when opening a preset. It gives you an overview of
the preset's number of components, activities, vulnerabilities, credentials, events and
vulnerabilities.
The dashboard is also a tag-oriented view. It's an overview of all tags found -
independently of the ones set as criteria- with the number of components and activities
found per tag.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 63
Cyber Vision

Example: For the purpose of the whole example given below, we access the All data
preset, and select the Time Server tag as criteria (under Device - Level 3-4).
Components per tag:
The number in brackets indicates there are 7 components tags as Time Server (1).
On the dashboard, you see this result accordingly (2).
One component is tagged as SCADA Station (3). This means that one of the Time Servers
is a SCADA Station.
Following this logic, we can say that two of the Time Servers are also PLCs and one Time
Server runs on Windows.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 64
Cyber Vision

If you want to know more about one of these components, switch to the component list
view (page 65) and reach them using the filter available in the tags column.
Activities per tag:
As for activities, there is no activity tags set as criteria in the example below (4). Yet, you
can see that many activities have been found (5).
This is because the dashboard view collects all activities involved with the Time Servers
found. These activity tags, especially important ones in red, can be useful information to
detect an abnormal activity on the controllers of the network.

If you want to know more about one of these activities, switch to the activity list view
(page 65) and reach them using the filter available in the tags column.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 65
Cyber Vision

4.2.2.1 Component and activity lists

The component and activity lists are two specialized and oriented views. Even though
they are legated and share a large number of data, components and activities are split in
two different views to facilitate comprehension and visualization of data.
These views provide general information and advanced technical data about each
element found in the preset. Check at the differences between the component and
activity views.
The Controllers preset in the component list view:

The Controllers preset in the activity list view:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 66
Cyber Vision

Lists are meant to perform an in-depth exploration of the network. Using this type of
view is especially convenient when searching for a very specific data. To do so, different
filters are available inside the lists to sort data:
■ The sort icon (1) is to sort data by alphabetical order or by ascending/descending
order.
■ The filter icon (2) opens a field to type a specific data in, or a multiple choice menu
(3) to filter tags.

Clicking an element in the lists opens its right side panel (page 71) which leads to more
advanced data.

4.2.2.1 Maps

Maps are visual representations of data of the industrial network that gives you a broad
insight on how components are interconnected. There are three different maps which
represent data differently and respond to different usage:
The Map - Expert, the Map - Simple and the Purdue Model (from left to right):

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 67
Cyber Vision

Options per map (for more details, refer to the corresponding subsections):

\ Map - Expert Map - Simple Purdue model

organize manually Yes No No

self-organizing No Yes Yes

autolayout Yes No No

components aggregation by IP by IP, MAC, NetBIOS None

Note
Maps display components and activities according to criteria set in a preset. Grayed out
components display because, even if they don't correspond to the preset's criteria, they are
necessary to represent the activities of the preset.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 68
Cyber Vision

Map - Expert

The Map - Expert is a very detailed view of the assets available per preset. It's a good
input to get to know how the network is structured. Moreover, you can start organizing
components in a way that makes sense to you by moving the components and creating
groups.

The only condition that drives how components display over this map are IP
aggregations. Aggregations are represented by a component with a black label (1)
displaying the number of aggregated components.
An aggregation of components sharing the same IP:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 69
Cyber Vision

As you click on an aggregation of components on the map, the list of components

sharing the same IP is displayed on a right side panel. Details per components such as
tags are available (which is not the case in the Map - Simple view).
As the number of components can quickly overcrowd a map, it is
possible to use the autolayout button. This automatically
organizes the components in the Map. Autolayout is based on
an algorithm that takes account of flows, groups, orphan
components and locked groups. The position of new
components is automatically saved once the Autolayout is done.
Data before and after performing an Autolayout:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 70
Cyber Vision

Note
An Autolayout cannot be reversed. If significant effort was done to organize the Map, it is
advisable to back up the database before performing this action.

Map Simple

The Map - Simple is a condensed and static view of the assets available per preset. It is
aimed to always provide you the best readable map possible.

Compared with the Expert one, the Map - Simple seems to display less components.
Components which share the same MAC, IP or Netbios name are actually aggregated
together. These aggregations are represented in the Map by a component with a black
label displaying the number of components sharing a same property.
Contrarily to the Map - Expert view, components can't be moved around in the Map -
Simple. This is because it's a self-organizing map. Assets are redistributed as components
and activities appear or disappear, and as groups are created or deleted. Moreover, the
maps automatically adapts over time and when changing preset. This way, it is
guaranteed that the map is always well organized and components never overlap.

Purdue Model

This map displays the assets of a preset according to the Purdue model architecture.
Components are distributed among the layers by considering their tags. The Purdue
Model view doesn't undergo any aggregation and is self-organizing.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 71
Cyber Vision

Assets of the preset All Controllers distributed among the layers of the Purdue model:

Components are distributed according to the different layers of the Purdue model:
■ Level 0-1: Process and basic control (IO Modules).
■ Level 2: Area supervisory control (PLCs, SCADA stations).
■ Level 3-4: Manufacturing zone and DMZ (all others).

4.2.3 Right side panel

A right side panel is a condensed view about a component, a group of components or an
activity's information. This view allows you to quickly scan general information about an
element meanwhile you're keeping an eye on a broader view such as a Component list or
a Map.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 72
Cyber Vision

The higher part (1) of the right side panel gives you general information about the
element. If consulting a component, you can edit its name an add/remove it to/from a
group.
The lower part contains a round button (2) which opens the element's technical sheet
(page 72) with all relevant information.
The rectangular buttons below (3) redirect to the corresponding information inside the
technical sheet.
To access a right side panel you just need to click a Component or an activity on a Map or
a list.

4.2.3.1 Technical sheets

A technical sheet is an interactive and complete view of all information related to a

component, an activity or a flow. The views differ depending on the type of element
consulted.
A component's technical sheet:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 73
Cyber Vision

A technical sheet is composed of a top bar and of a list of tabs. The higher part (1) recaps
the information found in the right side panel. The rectangular buttons on the right
redirect to the corresponding information inside the technical sheet. In a component's
technical sheet, you can also edit the component's name and add/remove it to/from a
group.
The lower part (2) contains detailed information classified under tabs, displaying or not
according to the element you're on:
■ Basics contains an element's properties and tags that are categorized with their
definition.
■ Security contains a component's vulnerabilities you can acknowledge and
credentials.
■ Activity is about an activity's flows and contains a Mini Map which is a view that is
restricted to a component and its activities.
■ Automation is about variable accesses.
Technical sheets are accessible through a component or an activity's right side panel
(page 71). A flow's technical sheet is visible when clicking on a particular flow.
■ More information about properties (page 36).
■ More information about tags (page 33).
■ More information about vulnerabilities (page 37).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 74
Cyber Vision
■ More information about credentials (page 41).
■ More information about flows (page 28).
■ More information about the Mini Map (page 74).
■ More information about variables accesses (page 43).

Mini Map

The Mini Map is a visual representation restricted to a specific component and its
activities.
This view is accessible through the Activity tab of a Component's technical sheet (page
72).

Clicking any element in the Mini Map will open its ride side panel (page 71) so you can
have access to further information.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 75
Cyber Vision

4.3 Reports
Reports are exportable files which improve your visibility of valuable information about
your industrial network. Information is collected and categorized according to different
perspectives which are components, flows, vulnerabilities and PLCs. Reports can be
generated for a time period you define into spreadsheets (XLSX) or printable (HTML that
you can export to PDF).

Below is the description of the four types of reports available:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 76
Cyber Vision
■ The inventory report lists and details all components of your industrial network.
They are sorted by group. For each component different information is given like the
component name, when it was active for the first and the last time and tags that
qualify its activity. If available, you will also find technical details such as its MAC and
IP addresses, hardware and firmware versions, the serial number and extra
properties.
■ The activity report lists and details all communications exchanged between the
components of your industrial network. They are sorted by group and by direction
(inner, incoming and outgoing communications regarding a group). Information
provided includes the protocol, which source and destination ports have been used
and tags that qualify its activity.
■ The vulnerability report lists all components detected as vulnerable and gives
further details about vulnerabilities. Vulnerabilities are based on the Knowledge DB
provided by Cisco. So, the more you keep the Knowledge DB up to date, the better
you will be notified about new known vulnerabilities. The report contains
information about the vulnerability, its impact level, its CVSS (Common Vulnerability
Scoring System) and solutions. A vulnerability is often about outdated software
parts. It is strongly recommended to fix outdated states as soon as possible. Links to
manufacturers' websites are provided for this purpose.
■ The PLC report lists all PLCs in your industrial network. For each PLC, the report lists
and details properties, events, programs, program blocks and variable accesses, if
there are any.
All reports generated are displayed in the History section from which you can rename,
download and delete reports.

4.4 Events
Cisco Cyber Vision provides many events (page 40) significant for the network security
especially the ones which relate to the industrial activity (such as New program
downloaded/uploaded, New start/stop CPU command, New init command...). Many
other events are also available such as events related to vulnerabilities (page 37),
comparison results, sensors activity, etc.
Refer to the events administration page (page 126) on the GUI to see all events available.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 77
Cyber Vision

The Events page provides two views to give high visibility on these events:
■ The Dashboard (page 77): a visual and continuously-updated view of the current
state of the installation based on the number of events (by severity and over time).
■ The Calendar (page 78): a chronological and continuously-updated view of the
events within which you can search events.

4.4.1 The Dashboard

Events are presented in the Dashboard under doughnut and line charts.
Doughnut charts present events numbers and percentages per categories and severities.

You can see the list of events per categories in the administration events page (page
126).
Clicking the doughnut redirects you to the Calendar (page 78) view that is filtered with
the corresponding category and severity so you can quickly access more events details.
Below, the line chart puts an emphasis on the number of events per severity over time.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 78
Cyber Vision

Clicking event markers (1) on the line chart lets you see the number of events per
category according to a specific time (2).
Click a category event tab (3) to see events details in the Calendar view by means of the
link "Show in calendar" (4). Events will be filtered with the corresponding category,
severity and event type.

4.4.2 The Calendar

The Calendar is a chronological view in which you can see and search events. Use the
search bar to search events by MAC and IP addresses, component name, destination and
source flow, severity and category.
You can also see events that have happened during the day, week, month and year.

Clicking on a result event will show you details about the event.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 79
Cyber Vision

When an event is related to a component or an activity, you can jump to its technical
sheet by clicking See technical sheet.
When a Monitor event is generated, the short description includes a link to view the
differences in the Monitor page.

4.5 Monitor

4.5.1 Monitor mode

Cisco Cyber Vision provides a monitoring tool called the Monitor mode to detect changes
inside industrial networks. Because a network architecture (PLC, switch, SCADA) is
constant and its behaviors tend to be stable over time, an established and configured
network is predictable. However, some behaviors are unpredictable and can even
compromise a network's operation and security. The Monitor mode aims to show the
evolution of a network's behaviors, predicted or not, based on presets. Changes, either
normal or abnormal, are noted as differences in the Monitor mode when a behavior
happens. Using the Monitor mode is particularly convenient for large networks as a
preset shows a network fragment and changes are highlighted and managed separately,
in the Monitor mode's views.
Baselines as Preset's normal states
A Preset is a set of criteria which aims to show a detailed fragment of a network. To start
monitoring a network, you need to pick up a preset, and to define what would be its
normal, stable state. This will represent the preset's baseline.
A state may rely on a period, as a network fragment may be subject to several states.
Hence, it is possible to create several planned, controlled and time-framed baselines per
preset, and to monitor the whole network.
For example, a normal state of the network can be a typical weekday operating mode, in
which numerous processes are performed iteratively. During weekends, these processes
may be slowed down, different, or even stopped. Any network phase can be saved as a
baseline by selecting the time span in which it occurs, and monitored. Other examples of
baselines can be a regular maintenance period, a degraded mode, a weekend and night
mode, and so forth.
A baseline is created for a situation considered as part of a normal operating process in
which all network behaviors (components, activities, properties, tags, variable accesses)
will be taken into account for review.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 80
Cyber Vision

Review and assignment of differences

A difference is a new or changed behavior happening within a fragment of a network.
Any difference detected is highlighted in the Monitor mode through several views such
as a map, a component list and an activity list. When reviewing these, they can be
acknowledged or reported. It depends on whether you consider them as normal or not,
and their level of criticality. That is, you can include these changes into your baseline if it
is part of a normal network development process, or take action in case of suspicious
behavior. By doing so, each baseline will be refined bit by bit over time and become more
compliant with your needs.

4.5.2 Monitor mode's views

Like in the Explore mode, the Monitor mode offers several views of data so you can see
them through different representations. The difference, though, is that in the Monitor
mode views new and changed detected elements are highlighted in red.
For more information about the views listed below, refer to the Explore chapter.
The map view:
non-aggregated components

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 81
Cyber Vision

The component list view:

The activity list view:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 82
Cyber Vision

In any view, on the left side, there is:

■ a fixed panel with a summary of the elements that have been detected in the
Monitor mode,
■ the last time this baseline has been checked,
■ the preset it belongs to along with the list of criteria selected.
You can also modify the baseline settings. And the Explore button redirects you to the
corresponding preset in the Explore mode.

In any view, if you click one of the elements, for example below the activity marked as
new in the activity list, a right side panel opens. It gives you:
■ information about the activity such as the two components it belongs to,
■ the date of the first and the last activity,
■ its tags,
■ buttons to perform several actions (page 84).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 83
Cyber Vision

Clicking the Show details buttons opens a window on top with more information, in the
example below, it shows the activity tags with the category they belong to and their
description.

Click the collapse button to come back to the initial view.

However, to go deeper into analysis, click the Investigate with flows button.

4.5.3 New and changed differences

When a difference is detected, it appears in red in the Monitor mode. There are two
types of differences: new and changed ones. A component, an activity, a tag, a property
and a variable access can appear (new) or evolve (change). Here below are a few
examples of how differences are represented in the Monitor mode:
A new component (plain red) and a changed component (hyphenated red)

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 84
Cyber Vision

Changed component's properties, with the former crossed out property:

New and changed component and activity tags:

New and changed activity's variable access:

Each difference must be reviewed to identify a potential threat and refine the baseline.
Refer to the section Review differences (page 84).

4.5.4 Review differences

When differences are detected by the Monitor mode, what one wants to do is to review
them to see if they are a potential threat to the network, and clear their data from any
red-alarming elements. Several actions are available to help you do so, which will,
moreover, allows you to enrich the current baseline, clean it, or report abnormalities.
These are available at different levels depending on whether you want to perform a deep
behavior review on a component or activity particulars, or at a higher macro level for a
quick review. Thus, you can perform these actions on tags, properties, variable accesses,
components, activities and baselines.
In any case, any action taken on the Monitor mode will generate an event that you can
see on the Events page.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 85
Cyber Vision

4.5.4.1 Acknowledge differences

Acknowledge in the Monitor mode

"Acknowledge" is an action to be used to indicate that determined behaviors -or
differences- are safe and normal. In fact, by doing this action, the difference will be
included in the baseline. You can acknowledge differences on any element of the
Monitor mode: tags, properties, variable accesses, components, activities and baselines.
Acknowledge a component or an activity
Acknowledge will display as such if the behavior is notified as changed. However, if the
behavior concerning a component or an activity is notified as new, an additional action is
required when clicking the button "Acknowledge" because a distinction has to be made
according to whether the behavior in question is exceptional or part of an iterative
process.
■ Acknowledge & Include
This action is to be used for a behavior which is part of a normal process and is
meant to happen regularly over time. By using this button, the behavior will be
included into the current baseline. If later the component or the activity changes -
because for example a new tag has been detected on them- you will be alerted
through the Monitor mode: it will turn to "changed" and appear hyphenated and
red. This action is useful to refine a baseline as it evolves over time.
Ex: You can perform this action on a new machine installed in the network, or a new
activity due to a new supported protocol.
■ Acknowledge & Keep Warning
This action is to be used when a behavior is punctual and not part of a process. In
this case, such behavior must not be considered as abnormal but rather as an
unusual one, which doesn't have a bad impact on the network. By using this button,
the behavior will be acknowledged and so cleared, but will not be included into the
baseline. Consequently, you'll be notified if it happens again as a new behavior in the
monitored baseline.
Ex: You can perform this action on a new component and a new activity due to an
exceptional maintenance act.

4.5.4.1 Report differences

This action is to be applied on a difference you consider to be an anomaly, that is, a

behavior that is abnormal and may compromise the operating capability and security of
the network. However, before reporting the anomaly, the first thing to do is to
investigate, and, if possible, to resolve it. In any case, when reporting an anomaly, you
must fill in a message of incident response or acknowledgment (in which context the
incident has happened, potential threats, or how it has been fixed). Once an anomaly is
reported, it is cleared and not included in the baseline, and an event is generated with a

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 86
Cyber Vision

default severity level higher than the acknowledge action. You will be alerted in the
Monitor mode if the incident occurs again.

4.5.4.1 Remove and keep warning

This action will remove the component or activity from the current baseline. This is to be
used when you consider an element should not appear in a baseline, or you don't want
to see it anymore. However, you will be alerted if the component or activity comes back,
and the difference will appear as new. This action is also available on variable accesses
through Individual acknowledgment (page 86).
Note
If a difference keeps coming back in a baseline and you don't want to see it, you should modify
the preset instead.

4.5.4.1 Individual acknowledgment

Individual acknowledgment is an advanced usage of Cisco Cyber Vision. This feature is

available on changed components and activities, that is, on elements already included in
a baseline. It allows you to access their details to perform a deep behavior review by
acknowledging (page 85) and reporting (page 86) one by one the differences detected on
the network. Thus, individual acknowledgment is available on components' properties
and tags, and on activities' tags and variable accesses.
■ Component properties
New and changed properties display in red. Concerning changed properties, the
former one is crossed out and the new one displays next to it. They will always
display in red, unless you acknowledge them.
■ Component and activity tags
New and changed tags display in red. They will be cleared as you acknowledge or
report them (i.e. they are no longer displayed in red).
■ Activity variable accesses
New and changed variable accesses display in red. A variable access can be
acknowledged, reported, and, in addition to other elements, deleted (i.e. button
"Remove and keep warning"). Deleting a variable access is to be used when you
consider that it should not be part of the current baseline and you don't want to see
it. It will be removed from the baseline and disappear. If, however, the variable
access happens again, you will be alerted and it will display in red.
Once all component or activity's elements are reviewed (i.e. acknowledged, reported, or
removed), the entity they belong to is cleared (the component or activity itself is no
longer displayed in red). Any action performed in the Monitor mode will appear in the
Event page.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 87
Cyber Vision

4.5.4.1 Investigate with flows

This button is not an action but an option to get more information and context about the
differences detected on the network. In fact, each difference found, since it belongs to a
component or an activity, is related to a flow. This view allows you to perform forensic
analysis and may give you some clues to understand what happened.
Ex: You can search from which flow exactly a tag comes from.

4.5.5 Create a baseline from a default preset

1. Access the Explore page.
2. In Basics, click the preset Essential data.
3. Click the button Add a new baseline from preset.
4. A pop-up appears to invite you to check your new baseline. Click Go check it out.
5. All elements displays. Some components and activities may already appear in red as
new or changed.

4.5.6 Create a baseline from a group

To create groups:

1. Access the All data preset.

2. Create two groups of components.
3. Click the Autolayout button.
Example:
We create a group HMI and a group PLC.

To create presets from groups:

1. In criteria, access the groups filter, and select the first one of the group you created.
Example:
We select the HMI group in the filter.
The HMI group displays in the map with its related activities.
2. Create a preset from this view.
3. Click Save as and name the preset HMI.
4. Repeat the previous steps for the PLC group.
5. Go to All Presets. You will see your two new presets.

To create a baseline from presets:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 88
Cyber Vision

1. Access the HMI preset.

2. Click the button "Add a new baseline from preset".
3. Name it HMI.
4. Repeat the previous steps for the PLC preset.
5. Access the Monitor mode. You will see your two new baselines.

4.5.7 Create a weekend baseline

Create another baseline to monitor the network during weekends.
1. Access the All data preset.
2. Set the period for the weekend. For example, from Friday 5 p.m. to Monday 4 a.m.
3. Click the button "Add a new baseline from preset".
4. Name the baseline "All data weekend" and add the description "Must be active from
Friday 5pm till Monday 4am".

4.5.8 Enable a baseline monitoring

To make the most of the Monitor mode, it is sometimes insightful to create several
baselines per preset. However, only one baseline can be active at a time per preset. This
is because a baseline is to be used to monitor a well-defined network process during a
specific period of time (e.g. baselines Normal operating mode, Maintenance, Week-end,
Night). Two baselines cannot happen at the same time on a preset, and you need to
enable the proper baseline as the network enters a new operating phase. Consequently,
when you enable a baseline on a preset, the active one is automatically disabled.

To enable a baseline:

1. Access the Monitor page.

2. Click the monitored preset settings menu on the preset you want to monitor.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 89
Cyber Vision

3. Under Monitored baseline, select the baseline you want to enable.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 90
Cyber Vision

4. Click Ok.
The baseline selected turns to green and is enabled.

4.5.9 Use cases

4.5.9.1 Detection of assets newly connected to the network

A basic use case in Cisco Cyber Vision is to detect if and when a new equipment connects
to the industrial network being monitored. However, the first thing to do when using
Cisco Cyber Vision is to organize components in an intelligible way. In this use case, we
choose to organize components according to the network's topology, that is, per
production chain. In fact, a network can be divided into several areas, such as several
production chains with different criticality levels, where a Cisco Cyber Vision Sensor is
placed to capture and monitor its traffic. This topology can be reflected in Cisco Cyber
Vision by creating groups which represent a production chain and contain its
components. In clear, here we intend to detect a new component and its related

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 91
Cyber Vision

activities within a specific area. Thus, it will be possible to see whether a component
connects with this production chain. Its related activities will also be highlighted in the
Monitor mode.
Key Differences: New components and their related activities on the network
Aim: Monitor the production line 2 of the industrial network.
Since a sensor is placed on each production chain, we use the sensor filter to display
each production chain. In our example, the industrial network we're monitoring has 3
production lines on which we have positioned a sensor. We want to see and monitor
what is happening on production line 2. To do so, we access the Preset All data in the
Explore mode and we select the filter SENSOR_Line2 (it is possible to rename sensors to
identify which area of the network they're monitoring) so only traffic captured on
Production Line 2 appears.

What we need to do then, is to organize the components into groups, per function:
■ PLCs in Line 2
■ IT
■ Broadcast
■ Multicast

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 92
Cyber Vision

As a result, we have a filtered and organized view of production chain 2.

Now that the network data is filtered and grouped, we save the selection as a new preset
that we name Line 2.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 93
Cyber Vision

The preset Line 2 contains components and activities we consider to be interacting in a

normal way, that is, production line 2 is in normal operating state. We save the preset's
normal state as a baseline that we name Line 2 - Normal State.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 94
Cyber Vision

We come back later to check Production Line 2. As we access the Explore mode we
notice that there are 10 components instead of 9. Number of activities and events have
increased too. The baseline Line 2 - Normal State reports 3 alerts.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 95
Cyber Vision

To understand what had happened exactly, we access the baseline in the Monitor mode.
The left panel indicates that 1 new component and 2 new activities have been found.
As we click the new component, the right side panel opens with the component's
detailed properties.
As we observe the component's details, we learn that it is in fact a controller, and
properties look like what we're already used to see on the network regarding other
components' characteristics. After confirming on site, we discover that a new PLC has
been connected to the network to enlarge Production Line 2.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 96
Cyber Vision

Then, we check that this new component behaves normally by looking at its activities. It
has been identified because it has sent a broadcast packet (probably ARP) and then has
connected to the Weintek machine using a legitimate protocol. Actions like Read variable
accesses look normal too.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 97
Cyber Vision

Since the component and activities will be part of the normal operating process of
Production Line 2, the differences can be acknowledged and included in the baseline to
be notified if any change occurs.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 98
Cyber Vision

We return to the Explore mode and add the component into the Line 2 group.
Eventually, we access the Events page and see that all previous actions are reported here,
from the detection of a new component and activities on the network, to adding the
component into the group Line 2.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 99
Cyber Vision

4.5.9.1 Tracking sensitive assets properties

To ensure a network's security, its critical assets need to be monitored closely. Usually,
critical assets are controllers which ensure the plant's operation. To monitor them, we're
going to check its properties. The properties to keep an eye on are programs and
firmware versions changes that might cause malfunctions or even stop a production line.
Preset Definition: Preset need to be defined per Group or multiple Group
Key Differences: New properties or changed properties on components
In the Explore mode, we access the Preset All data (1). We group the components per
function (Broadcast, Multicast, Production Line 2) to organize our data. We select the
Controllers component filter (2), so only the components marked with the Controller tag,
their activities and related components display.
Now that the network data is filtered and grouped, we save the selection as a new preset
(3) that we name Controllers.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 100
Cyber Vision

The preset Controllers contains components and activities we consider to be operating in

a normal way. We save the preset's normal state as a baseline that we name Controllers -
Normal State.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 101
Cyber Vision

We access the Monitor mode. The new baseline Controllers - Normal State displays.
A few moments pass and two alerts are reported in the Controllers preset. We access the
baseline to see what happened.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 102
Cyber Vision

The left panel reports that one component and one activity have changed in the scope of
the preset.
As we click on the changed component in the map, a right side panel opens with more
information. Changes appear in red. The tag indicates that it's a controller. The properties
lldp-description and firmware version have changed and the former version is crossed
off.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 103
Cyber Vision

The particularity here is that no activity on the network seems to explain why the
SIEMENS component's firmware version rolled back. To figure this out, we meet with the
technical operator in charge of the production line. This person informs us that the latest
version was causing several issues on the network. Consequently, a rollback has been
performed by a maintenance operator to solve these until a new fix comes out. We
conclude that this was part of a normal maintenance act and we acknowledge the
differences.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 104
Cyber Vision

Once differences are acknowledged, they are considered as normal and do not appear in
red anymore. If a new change happens such as the version update, the component will
appear as changed again in the Monitor mode.

An event is generated accordingly to the previous behaviors that have happened on

preset Controllers and actions.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 105
Cyber Vision

4.5.9.1 Detect changes that impact availability and integrity

First evidence that a Stuxnet-like attack is probably taking place are Stop CPU orders or
new programs sent into a Controller's memory. A station that starts to send such content
inside a network must be detected as soon as possible. It is possible to monitor a
network by watching all control system behaviors.
This can be done in Cisco Cyber Vision by using the Control System Activities preset,
which is a default preset and will check all activity tags categorized as Control System
Behavior and consequently all related components. Key differences in such use case are
new or changed activities. Moreover, components' tags and properties will give further
context to help understanding of what is happening in the network.
Preset Definition: Preset need to be defined per activities tag like "Control Systems
Behaviors"
Key Differences: New or changed activities
To do so, we access the preset Control System Activities (1) and we create a baseline
from this preset (2) that we name Control System Activities - Normal State (3).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 106
Cyber Vision

As we access the Monitor mode we can access and see the Control System Activities's
baseline we just created. Nothing has happened yet on the preset.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 107
Cyber Vision

After a few moments, new differences are detected on the preset. The left panel and the
Map help identifying what has happened: a new component had an activity which
changed another component and its activity with another component (1).
Clicking the new component (2) opens a right side panel which offers more information.
The tag Windows indicates that the new component is a Windows machine (3). Below, its
properties are listed and give more information about the machine.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 108
Cyber Vision

Clicking the new activity between the new machine and the CPU opens its right side
panel and gives more information about what happened. New tags such as Firmware
Download, Start CPU, Stop CPU, Read and Write Var, which are typical of a Stuxnet-like
attack, indicate the type of actions the new Windows machine has performed on the
CPU.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 109
Cyber Vision

These elements let us think that this is actually an attack. We report this issue and start
to counter the attack immediately with the security team. If other suspicious changes
happen, the Monitor mode will notify them.

4.6 Search
This page is available to search for components among unstructured data. You can search
components by name, custom name, IP, MAC, tag and property value.
Note
Aggregated components aren't available in this page.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 110
Cyber Vision

Results out of a Station research:

In the example above, 20 components have been found with the mention "station" in
their name, property values and tags.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 111
Cyber Vision

It is possible to create a preset out of your research results (1). Presets created out of
results will automatically update as new data are detected on the network.
If you mouse over a component, the button that gives access to its technical sheet (page
72) (2) appears. This view will give you access to advanced data about the component.

4.7 Admin

4.7.1 System

4.7.1.1 Center shutdown/reboot

You can trigger a safe shutdown and reboot of the Center from the System
administration page.
The reboot can be used in case of a minor bug. For instance, in case of a system overload.

4.7.1.1 System update

Version releases usually include updates for both the sensors and the Center (i.e.
combined updates). If operating conditions make it possible , you can update the Center
and all its online sensors at once from the user interface. You can proceed to a combined
update without opening a shell prompt and using SSH.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 112
Cyber Vision

Note
Combined updates are applied to the Center and all its online sensors. Make sure (by accessing
the sensor administration page) that all your sensors are connected and SSH is authorized
between the Center and the sensors before proceeding to a combined update.

IMPORTANT
Rolling back to an older Cisco Cyber Vision version is not possible.

Requirements:
■
■ A combined update.

To verify the file integrity (recommended):

To verify that the file you just downloaded is healthy, use the SHA256 checksum provided
by Cisco.
1. Linux users can type on their shell prompt the command:
sha256sum CiscoCyberVision-<TYPE><VERSION>.<EXT>

2. Compare both checksums.

♦ If both checksums are identical it means the file is healthy.
♦ If the checksums do not match try to download the file again.
♦ If, after downloading the file again the checksums still don’t match,
please contact Cisco support.

To update the Center and all its online sensors:

1. Access the Cisco Cyber Vision's user interface.

2. Access System administration > System and use the System update button.
3. Select the update file CiscoCyberVision-update-combined-<VERSION>.dat
4. Confirm the update.
As the Center and sensors updates proceed, you are redirected to a holding page.
Once the update is finished the Center and the sensors need to reboot and you will be
logged out from the user interface.
5. Log in again to the user interface.
If there were offline sensors when the update occurred, the same procedure can be used
as many times as necessary to update all sensors.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 113
Cyber Vision

4.7.1.1 Syslog configuration

Cisco Cyber Vision provides syslog configuration so that events can be exported (page
126) and used by a SIEM. To configure which machine the syslogs will be sent to:
1. Click Configure.

2. Select a protocol.
3. Enter the IP address of the SIEM reachable from the Administration network interface
(i.e. eth0) of the Center.
4. Enter the port on the SIEM that will receive syslog.
5. Select the variant of syslog format:
♦ Standard: event messages are sent in a format specific to Cisco
Cyber Vision and with legacy timestamps (one-second precision).
♦ CEF: industry standard ("Common Event Format") which is
understood by most SIEM solutions (no extra configuration is
needed on the SIEM). This is the recommended option.
♦ RFC3164: extended syslog header format with microsecond
precision for timestamps.
If you select TCP + TLS connection an additional "set certificate" button displays to import
a p12 file. This file is to be provided by the administrator of your SIEM solution to secure
the communications between the Center and the syslog collector.

4.7.1.1 Import/Export

You can import and export the Cisco Cyber Vision database from the System
administration.
This can be used on a regular basis to backup the industrial network data on Cisco Cyber
Vision or if you need to transfer the database to a different Center.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 114
Cyber Vision

Exports are possible up to 2 GB of data to avoid side effects related to slow database
exports. If the database is larger than 2 GB, you will get an error message. In this case,
you must connect to the Center using SSH and perform a data dump using the command
sbs db dump.
Network data, events, users will be kept as well as all customizations (e.g. groups,
component names).
As for configurations, only those made in the Cisco Cyber Vision user interface will be
kept. Thus, if you change Center you will have to perform a basic configuration of the
Center and then configure Cisco Cyber Vision again (refer to the Center Quickstart
Guide).
Note
Import can last up to one hour for big databases. However, you can refresh the page from time
to time to check that the import keeps going on normally (i.e. no error message).

4.7.1.1 Knowledge DB

Cisco Cyber Vision uses an internal database which contains the list of recognized
vulnerabilities, icons, threats, etc.
IMPORTANT
It is important to update the Knowledge DB in Cisco Cyber Vision as soon as possible after
notification of a new version to be protected against vulnerabilities.

To update the Knowledge DB:

1. Download the latest.db file available.

2. From the Cisco Cyber Vision system administration page click the Import a knowledge
DB button to upload the file.
Importing the new database will rematch your existing components against any new
vulnerabilities and update network data.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 115
Cyber Vision

4.7.1.1 Reset

A Reset to Factory Defaults should be performed carefully with the help of Cisco product
support and be used only as a last resort when all other troubleshooting attempts have
failed. Please read below all implications of taking this action.

Reset to Factory Defaults is to be used as a last resort to clear all existing data from the
Center.
Proceeding to a Reset to Factory Defaults will lead to the deletion of:
■ Some Center configuration data elements.
■ The GUI configuration (such as user accounts, the setup of event severities, etc.).
■ Data collected by the sensors.
■ The configuration of all known sensors (such as IP addresses, capture modes, etc.).
Root password, certificates and configurations from the Basic Center configuration will
be kept.
Once a Reset to Factory Defaults has been performed, the GUI page refreshes with the
Cisco Cyber Vision installation wizard (refer to the Center Quickstart Guide).

4.7.2 Data management

From the system administration page, you can manage data stored on Cisco Cyber Vision
by clearing data to optimize the Center performances.
Clearing data should be performed carefully with the help of Cisco product support and
be used only as a last resort when all other troubleshooting attempts have failed. Please
read below all implications about all data clearance.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 116
Cyber Vision

About all data clearance:

Clearing all data is to be used as a last resort in case of database overload issues.
Proceeding to a Reset Data will result in the entire database content deletion. Network
data such as components, flows, events and baselines will be deleted from Cisco Cyber
Vision and the GUI will be emptied.
All configurations will be saved. Existing users and user data configuration (such as
capture modes, events severity set up, syslog configuration) will remain unchanged.

4.7.3 Sensors

4.7.3.1 Managing the sensors

You can manage the sensors and obtain information about them from the sensor
administration page.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 117
Cyber Vision

First, you need to understand that different types of sensors exist in terms of
configuration: the online and the offline sensors.
■ When used in online mode the sensor needs to be manually installed through USB.
To do so, refer to the Cisco Sensor Quickstart Guide.
■ On a sensor in offline mode, traffic is captured on a USB drive. The file will then be
imported in Cisco Cyber Vision.
Then, from this page, you can:

■ Deploy an IOX app (this button is disabled if the Cisco Cyber Vision sensor
management extension is not installed).
■ Install a sensor manually.
■ Capture traffic with an offline sensor (page 121).

Note
Information and features presented below are available in the sensors administration
page. However, they will display depending on the sensor type.

According to the sensor type, and if available, you will find the IP address for each sensor,
the firmware version, the status, the SSH connection state, the capture mode set and the
uptime.
Click a sensor in the list to find additional information such as the serial number and to
modify the sensor name and perform other actions.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 118
Cyber Vision

Sensors status

There are two types of sensor status:

■ The Enrollment status (1), which indicates at which step of the enrollment process
the sensor is.
■ The Connection status (2), which indicates the network connection state between
the sensor and the Center.

Enrollment status:
■ New
This is the sensor's first status when it is detected by the Center. The sensor is asking
the DHCP server for an IP address.
■ Request Pending
The sensor has asked the Center for a certificate and is waiting for the authorization
to be enrolled.
■ Authorized
The sensor has just been authorized by the Admin or the Product user. The sensor
remains as "Authorized" for only a few seconds before displaying as "Enrolled".
■ Enrolled
The sensor has successfully connected with the Center. It has a certificate and a
private key.
■ Disconnected
The sensor is enrolled but the isn't connected to the Center. The sensor may be shut
down, encountering a problem, or there is a problem on the network.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 119
Cyber Vision

Connection status:
■ Not enrolled
The sensor is not enrolled. The enrollment status is New or Request Pending. The
user must enroll the sensor for it to operate.
■ Normally processing
The sensor is connected to the Center. Data are being sent and processed by the
Center.
■ Waiting for data
The sensor is connected to the Center. The Center has treated all data sent by the
sensor and is waiting for more data.
■ Pending data
The sensor is connected to the Center. The sensor is trying to send data to the Center
but the Center is busy with other data treatment.
■ Disconnected
The sensor is enrolled but the sensor isn't connected to the Center. The sensor may
be shut down, encountering a problem, or there is a problem on the network.

Sensors features

A label indicates that there is no SSH connectivity from the Center to the sensors (1).
When it is down, Erase, Shutdown, Reboot, Capture mode and Start recording sensor
features are not available. This label can be useful in case of troubleshooting.

Different buttons (2) are available according to the sensor mode:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 120
Cyber Vision
■ The Remove button takes the sensor off from the sensor administration page and its
relative data from the System statistics page is removed. This button is available only
when the sensor is not sending data to the Center (i.e. status Unreachable) or for
offline sensors. This action must be performed when the sensor and its data are not
relevant anymore.
■ The Erase button performs a sensor Reset to Factory Defaults. The sensor will be
removed from the administration page and will appear again with the status New.
■ The Shutdown button triggers a clean shutdown of the sensor from the GUI.
Note
After performing a shutdown, you must switch the sensor ON directly and manually on the
hardware.
■ The Reboot button can be used to reboot the sensor in case of a malfunction.
■ The Get provisioning package button provides a configuration file to be deployed on
the sensor in case of Manual sensor installation (online mode).
■ The Capture Mode button can be used to set a filter on a sensor sending data to the
Center. Refer to the procedure for Setting a capture mode (page 122).
■ The enable IDS button can be used to enable the SNORT engine embedded in some
sensors to analyze traffic by using SNORT rules. SNORT rules management is
available on the SNORT administration page.
■ The Start recording sensor button (3) records a capture on the sensor. Records can
be used for traffic analysis and may be requested by Cisco support in case of
malfunctions.
Note
This feature is targeted for short captures only. Performing long captures may cause the
sensor overload and packets loss.
You can also perform this action from the Capture page:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 121
Cyber Vision

Capturing traffic with an offline sensor

Note
Only the sensor embedded in an IC3000 can be used as offline sensor.

Required material:
A USB drive formatted as FAT32 with a large storage capacity.
Note
The metadata collected by the USB drive takes up very little space. However, it is
recommended to use a USB drive with a large storage capacity (16 GB minimum). If the USB
drive reaches a saturation point its inner file would corrupt.

To capture traffic with a sensor reset to factory default:

1. Plug a USB drive into the sensor port marked "Offline".

2. Connect the sensor to the industrial network to be monitored (refer to Cisco Cyber
Vision Sensor Quickstart Guide).
3. Turn the sensor ON.
The sensor starts capturing traffic.

To finish the traffic capture:

1. Disconnect the sensor from the industrial network.

2. Wait for the sensor to stop operating (10 seconds).
3. Unplug the USB drive from the Offline USB port.

To import an offline capture file to the Center:

1. Plug the USB drive into your computer.

2. Access the sensors administration page of the GUI.
3. Click the Import Offline File button:
Date and time selection menus are meant to convert the traffic capture starting date/
time of the imported file in the case the offline sensor date/time is not reliable (filling
out these fields is optional).

Note
The capture starting time in the offline capture file is in UTC.
e.g.: offline-data-20171127-123338.dat (i.e. YYYYMMDD-HHMMSS)

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 122
Cyber Vision
If the offline capture file indicates 12.33 a.m. (UTC), then it corresponds to
01.33 a.m. CET.

IMPORTANT
Be careful when completing this step because it is not possible to go back once
the date and time are changed and the file is inserted into the Center. The
Center does not allow for the erasure of one single file. It is recommended to
export the database before importing an offline capture.
If you do not want to change this information note that you will need to search for the
offline capture file in the GUI Time span. Use the same traffic capture starting date
and time that is written in the file name.
Although you can modify the date and time with this feature, it is recommended that
you correct the offline sensor's date and time to avoid doing this for each and every
capture.
4. Select the .dat file to import.
In the administration sensor page, a new sensor is created corresponding to the
offline file with the status Unknown and No SSH connection.

Note
A new offline capture file is created each time the sensor starts. Thus, you can
make several traffic captures successively at different points of the industrial
network.

Setting a capture mode

The Capture mode feature lets you choose which network communications will be
analyzed by the sensors.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 123
Cyber Vision

The aim is mainly to focus the monitoring on relevant traffic but also to reduce the load
on the Center.
For example, a common filter in a firewall can consist of removing the network
management flows (SNMP). This can be done by setting a filter like "not (port 161 and
host 10.10.10.10)" where "10.10.10.10" is the network management platform.
Using Capture mode Cisco Cyber Vision performance can be improved on large networks.
Capture modes operate because of filters applied on each sensor. Filters are set to define
which types of incoming packets are to be analyzed by the sensors. You can set a
different filter on each sensor according to your needs.
You can set the capture mode in the installation wizard when enrolling the sensors during
the Center installation. This option is recommended if you already know which filter to
set. Otherwise, you can change it at any time through the sensors administration page in
the GUI (provided that the SSH connection is allowed from the Center to the sensors).
Note
You can set a capture mode to offline sensors from a file containing the filter and registered on
the USB drive plug on the Offline USB port of the sensor.
For more information about setting a capture mode on an offline sensor contact the support.

The different capture modes are:

■ ALL: No filter is applied. The sensor analyzes all incoming flows and they will all be
stored inside the Center database.
■ OPTIMAL (Default): The applied filter selects the most relevant flows according to
Cisco expertise. Multicast flows are not recorded. This capture mode is
recommended for long term capture and monitoring.
■ INDUSTRIAL ONLY: The filter selects industrial protocols only like modbus, S7,
EtherNet/IP, etcThis means that IT flows of the monitored network won't be
analyzed by the sensor and won't appear in the GUI.
■ CUSTOM (advanced users): Use this capture mode if you want to fully customize the
filter to be applied. To do so you will need to use the tcpdump syntax to define the
filtering rules.

4.7.4 Users

4.7.4.1 Management

You can create, edit and delete users through the users administration page.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 124
Cyber Vision

During their creation each user must be assigned with one of the following user roles
(from full rights to read-only):
■ Admin
The Admin user has full rights on the Cisco Cyber Vision platform. Users who have
this role assigned oversee all sensitive actions like user rights management, system
updates, syslog configuration, reset and capture modes configuration on sensors.
■ Product
The product user has access to several features of the system administration page
(i.e. the system, sensors and events administration pages). This access level is for
users who manage sensors from a remote location. In addition, they can manage the
severity of events and, if enabled by the Admin user, can manage their export to
syslog.
■ Operator
This access level is for users who use the Monitor mode and manage groups but do
not have to work with the platform administration. Thus, the Operator user has
access to all pages, except the system administration page.
■ Auditor
This access level provides read-only access to the Explore, Reports, Events and
Search pages. Auditors can use sorting features (such as search bars and filters) that
do not require persistent changes to the Cisco Cyber Vision data (unlike Autolayout),
and generate reports.
You can create as many users as needed with any user rights. Thus, several
administrators can use and administrate the whole platform.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 125
Cyber Vision

However, each user must have their own account. That is:
■ Accounts must be nominative.
■ One email address for several accounts is not allowed (note that email will be
requested for login access).
Passwords must contain at least 6 characters and comply with the rules below.
Passwords:
♦ Must contain a lower case character: a-z.
♦ Must contain an upper case character: A-Z.
♦ Must contain a numeric character: 0-9.
♦ Cannot contain the user id.
♦ Must contain a special character: ~!"#$%&’()*+,-./:;<=>?@[]^_{|}.

IMPORTANT
Passwords should be changed regularly to ensure the platform and the
industrial network security.

Passwords' lifetime is defined in the Security settings page (page 126).

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 126
Cyber Vision

4.7.4.1 Security settings

From this page you can configure the security settings of users' password such as its
lifetime, the number of authorized login attempts, the number of days before a password
can be reused, etc.

4.7.5 Events
The severity of Events (page 40) can be customized on the events administration page. By
default changes will be applied to future events only. However, you can apply new
customized severities to past events by enabling Apply to existing events (i.e. save
button).
IMPORTANT
This action is irreversible and can take several minutes to complete.

Click the Reset button to reset to the severity to default.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 127
Cyber Vision

You can enable or disable the export of events to syslog and database storage. These two
options are active by default. However, make sure syslog has been configured (page 113)
before the export.

4.7.6 API

4.7.6.1 Token

Cisco provides a REST API. To use it you first need to create a token through the API
administration page.
A token is a random password which authenticates a request to Cisco Cyber Vision to
access or even modify the data in the Center through the REST API. For instance, you can
request the latest 10 components detected on Cisco Cyber Vision or create new
references. Requests can be used by external applications like a SOC solution.
Note
Best practice: create one token per application so you can remove or expire accesses
separately.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 128
Cyber Vision

Create your first token and enter a name that will help you identifying the token. For
security reasons you can also use the status toggle button to disable authorization to use
the token (for example, if the token created is to be used later and you want to prevent
access until then) and set an expiration time.

Once the token is created click show to see and copy the token to the clipboard.

For more information about the REST API refer to the REST API user documentation
available on cisco.com.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 129
Cyber Vision

4.7.6.1 Documentation

This page is a simplified API development feature. It contains an advanced API

documentation with a list of all possible routes that can be used and, as you scroll down
the page to Models, a list of possible data responses (data type, code values and
meaning).
In addition to information research, this page allows you to perform basic tests and call
the API by sending requests such as GET, DELETE and POST. You will get real results from
the Center dataset. Specifications about routes are available such as the route's
structure, and parameters and arguments that can be set. An URL is generated and curl
can be used in a terminal as it is.
However, for an advanced use, you must create an application that will send requests to
the API (refer to the REST API documentation).
IMPORTANT
All routes other than GET will modify data on the Center. As some actions cannot be reversed,
use DELETE, PATCH, POST, PUT with caution.

Routes are classified by Cisco Cyber Vision's elements type (activities, baselines,
components, flows, groups, etc.).
The category "Groups" containing all possible group routes:

To authorize API communications:

1. Access the API Token menu to create and/or copy a token (page 127).
Access the API Documentation page and click the Authorize button.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 130
Cyber Vision

2. Paste the token.

3. Click Authorize.

4. Click Close.

Closed lockers displays. They indicate that routes are secured and authorization to
use them is up.

To use a route:

1. Click a route to deploy it. In the example, we choose Get activity list.
2. Click Try it out.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 131
Cyber Vision

3. You can set some parameters. In the example, we set page to 1 and size to 10.

4. Click Execute.
Note
You can only execute one route at a time.
A loading icon appears for a few moments. Responses display with curl, Request URL
and the server response that you can copy or even download.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 132
Cyber Vision

5. When you're finished, click the Authorize button.

6. Logout to clean the token variable, and click Close.

4.7.7 License
You can install a license in Cisco Cyber Vision in the License administration panel.
This section explains how to install a license on the Cisco Cyber Vision Center. To do so,
you will select a license (ESSENTIAL or ADVANTAGE) and configure a network path for the
Center to reach Cisco license server. Then, you will create a new token in Cisco Software
Central to proceed with the Center registration.

To set the Cisco Cyber Vision Center's license:

1. Navigate to System Administration > License.

2. Click "edit the Software Subscription Licensing".

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 133
Cyber Vision

3. Toggle the button to select the license type (ESSENTIAL or ADVANTAGE).

Note
This setting can cause additional cost.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 134
Cyber Vision

To configure the network path to Cisco license server:

1. Click "edit the Smart Call Home Transport Settings".

2. Select how the Cisco Cyber Vision Center will reach the Cisco Software Central
services.
■ The option Direct is selected by default. It means that the Cisco Cyber Vision Center
has secure access to the Internet and can reach the Cisco Software server using a
ciphered connection.
■ The option HTTP/HTTPS Proxy should be selected if the Cisco Cyber Vision Center has
access to the Internet through a Proxy.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 135
Cyber Vision

To create a token in Cisco Software Central:

1. Access and log in to the Cisco Software Central (sofware.cisco.com).

2. Under License, click Smart Software Licensing

3. Click the Inventory menu.

4. Click the New Token button.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 136
Cyber Vision

A Create Registration Token pop up opens.

5. Fill in the following fields:

■ Description: add a description to identify the Center's owner or purpose.
■ Expire after: the token will expire after the amount of days indicated in this field.
■ Max. Number of Uses: the token will expire as login accesses reach the number
indicated in this field.
1. Click the Create Token button.
The new Token appears in the list.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 137
Cyber Vision

2. Click the blue arrow next to the token name and copy it.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 138
Cyber Vision

To register the Cisco Cyber Vision Center:

1. In Cisco Cyber Vision, click the button Register.

The Smart Sotfware Licensing Product Registration window opens.

1. Paste the token into the text field and click Register.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 139
Cyber Vision

The registration status should turn to Registered.

The new license is enabled and will operate according to the parameters set.

4.7.8 LDAP settings

Cisco Cyber Vision can delegate user authentication to external services using LDAP
(Lightweight Directory Access Protocol), and in particular to Microsoft Active Directory
services.
You can enable LDAP authentication in the LDAP Settings administration panel.

Configure LDAP:
You must fill the fields with the following information:
■ the service IP address
■ the service port
■ the user root domain name
■ the group names
User groups available in the external directory will be mapped to Cisco Cyber Vision
Product, Operator and Auditor user roles. You must type the exact group names as
configured into the remote directory, so they can be retrieved and mapped to user roles.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 140
Cyber Vision

Because the Admin user role is exclusively reserved for Cisco Cyber Vision internal usage,
this group cannot be mapped to any external users and thus is not proposed in LDAP
settings.

Test LDAP configuration:

After setting up LDAP, test the connection between the Center and the external directory.
On the LDAP binding test window, use a user login and password set in the external
directory. The Center will attempt to authenticate on the directory server with these
credentials.
In return, you will get either a successful authentication, or a failed one with an error
message.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 141
Cyber Vision

Login in Cisco Cyber Vision:

When logging into Cisco Cyber Vision, the login form used will determine the base (i.e.
internal or external) to be queried:
■ If you use an email, the Cisco Cyber Vision database is queried.
■ If you use the classic Active Directory format: <domain_name>\<user_name> (e.g.
sentryo\john_doe), or a classic LDAP login, then the external directory is used to
authenticate users.

4.7.9 pxGrid
From this page, you can configure ISE pxGrid Cisco Cyber Vision integration.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 142
Cyber Vision

To do so, click the Download certificate button to retrieve Cisco Cyber Vision's certificate
authority. Then access ISE and follow the instructions below.
Upload and enable ISE's trust for Cisco Cyber Vision authentication:

1. Access ISE's Administration > Certificates > Certificate Management > Trusted
Certificates.
2. Click Import.
3. Click Browse and select Cisco Cyber Vision's certificate authority.
4. Tick Trust for authentication within ISE.
5. Click Submit.
Generate a client certificate for Cisco Cyber Vision:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 143
Cyber Vision

1. Access ISE's Administration > pxGrid Services > Certificates.

2. Fill in the fields as shown below:

Note
The CN field is mandatory because the goal of ISE CA is to issue identity
certificate. Ideally you should enter the FQDN of Cisco Cyber Vision, but
since identity certificate is not used by Cisco Cyber Vision, CN field value is not
critical.
3. Download the zip, extract it and upload the .p12 to Cisco Cyber Vision by clicking the
Change Certificate button.
4. Fill in the fields.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 144
Cyber Vision

Optional:
If you do not have a DNS server for your services, you may need to configure custom host
in Cisco Cyber Vision Center and ISE so they can communicate.
1. Add custom host in ISE:
ssh -c aes256-cbc [email protected]
configure terminal
ip host 10.2.3.4 center
# wait for application to restart
End

2. Add custom host and restart pxgrid-agent in Cisco Cyber Vision Center:
ssh [email protected]
echo "10.2.3.180 ise.corp.sentryo.net" >> /data/etc/hosts

4.7.10 SNORT
Snort is a network intrusion detection system (NIDS) software based on a text rules
engine. It is provisioned in some Cisco Cyber Vision sensors like the senor embedded in
the IC3000, but not activated by default. Cisco Cyber Vision Center stores the rules and
configuration files but also intercepts Snort alerts and display them as event.
To activate the Snort engine in the sensor, the button "Enable IDS" from the sensors
management page needs to be used:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 145
Cyber Vision

The rules and the basic configuration of Snort are packaged in the Cisco Cyber Vision
Knowledge Database and managed from the SNORT menu. This package is updated
regularly by Cisco and need to be updated by retrieving the updated KDB from the official
Cisco repository. By default standard rules are configured and some of them are enabled,
others are disabled.
In the SNORT administration menu, rules coming from Cisco could be consulted and
enabled or disabled. To simplify the usage rules were grouped in categories in order to
enable or disable an entire category. The status button (1) column could be used to
enable or disable the corresponding category. All category rules could be consulted by
downloading the set of rules (2)

Categories list:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 146
Cyber Vision
■ Browser
■ Deleted
■ Experimental-DoS
■ Experimental-Scada
■ Exploit-Kit
■ File
■ Malware-Backdoor
■ Malware-CNC
■ Malware-Other
■ Misc
■ OS-Other
■ OS-Windows
■ Server-Other
■ Server-Webapp
Some custom rules could be used in order to generate specific alerts. To do this, a file
needs to be generated with a defined syntax as the base rule files. Snort also provides
some help to generate rules (Snort_rule_infographic.pdf).

Custom rules file could be imported in the center by using the button "IMPORT CUSTOM
RULES FILE". All custom rules are stored in the center, they could be downloaded for
review by using the button "DOWNLOAD".
The predefined rules available in categories could be enabled or disabled individually by
using the rule signature id (sid). To retrieve the sid the category file need to be
downloaded and consulted, the sid is present at the end of the rule line. When a rule is
disabled a "#" is added in front of the rule line to comment it. When a rule is enabled the
"#"in front of the rule line is deleted. The 2 buttons "DISABLE" and "ENABLE" are used to
do those actions.
When the configuration is done the rules definition (standard and custom) could be sent
to the sensors by using the button "SYNCHRONIZE RUELS ON SENSORS".

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 147
Cyber Vision

In case of mistake, or to initialize the configuration, the button "RESET TO DEFAULT"

could be used. All rules settings will be reset to the default Cisco Cyber Vision
configuration.

4.7.11 Integrations

4.7.11.1 CTR

Cisco Threat Response leverages an integrated security architecture that automates

integrations across select Cisco Security products. It can help you accelerate key security
operations functions: detection, investigation, and remediation. Filling and submitting
the fields below activates the sharing of endpoint assets discovered by Cisco Cyber Vision
with Cisco Security Services Exchange (SSE).
CRT Cyber Vision page permits to configure the platform URL which hosts your CTR data.

Once saved, this configuration will permit to add a button to investigate IP addresses and
MAC addresses in CTR. A click on that button will open the configured CTR instance.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 148
Cyber Vision

4.7.11.1 FMC

FMC administration page permits to configure a link between Cisco Cyber Vision with
your Firepower Management Center. This connection will permit to send regularly (every
10 seconds) the components discovered by Cisco Cyber Vision. Every 10 seconds a list of
new discovered components will be sent with the following properties in Cisco Cyber
Vision:
■ Name
■ Id
■ Ip
■ Mac
■ And if they are available:
♦ hw_version
♦ model-ref
♦ serial_number
♦ fw_version
♦ tags
The configuration of this connection consists of adding the IP address of FMC, then
importing a certificate in Cisco Cyber Vision.

In FMC, to download the necessary certificate, please navigate to "System" then to

"Integration" and open the "Host Input Client" tab. In the tab create a new Client with
the button "Create Client". Add the Cisco Cyber Vision Center IP address as host name,
then download the pkcs12 certificate.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 149
Cyber Vision

Then, in FMC, menu "Policies", "Application Detectors" add a new Product Map with the
button "Create Product Map Set". Please create the new product Map with the exact
name and case as presented below:

The created hosts could be consulted in FMC, menu "Analysis", tab "Hosts – Network
Map":

4.7.11.1 FTD

FTD administration page permits to connect Cisco Cyber Vision with your Firepower
Threat Defense. It will allow to automatically kill anomalies detected by monitor mode
and snort events. The corresponding session found in FTD will be killed.
Every 10 seconds Cisco Cyber Vision will browse the new monitor and SNORT events and
send the corresponding action to the firewall. To enable that functionality, the user
needs to add the following parameters in the FTD administration page:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 150
Cyber Vision
■ Ip address of the firewall
■ Login: admin login, an ssh connection will be established between the center and the
firewall
■ Password: corresponding password
■ Hostname: is the name of the device, by default "firepower"
Two option are available: kill session from monitor difference detection events and kill
session from snort events.

4.7.12 Extensions
From this page, you can manage Cyber Vision Extensions. Extensions are optional add-
ons to Cyber Vision Center which provide more features, such as the management of
new device types, additional detection engines, or integrations with external services.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 151
Cyber Vision

4.8 System statistics

To access system statistics click the System statistics button on the top right corner of
Cisco Cyber Vision.

4.8.1 Center
The Center statistics view provides data about the state of the Center CPU, RAM, disk,
network interfaces bandwidth and database.
Note
Most data presented below evolve as you select a different period of time.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 152
Cyber Vision

At the top of the page, you will find general information about the Center (the software
version, the length of time that it has been operating (i.e. uptime), the Center system
date and whether DHCP is enabled or not).
The button on the right generates a diagnostic file about the Center that is sometimes
requested by the Cisco product support in case of trouble.

System health:

The system health gives you the state of the Center CPU, RAM and disk usage.
Usages (i.e. minimum, maximum and average) are indicated for each of these system
resources while the absolute value is shown in a tooltip if you mouse over the line chart.
Below, you have the percentage of the system's current usage. Also, there is an indicative
hardware score which is useful to Cisco product support.
The Compute Scores button initiates a new performance measure to compute a new
score.

Network interfaces bandwidth:

The line charts represent the Administration and Collection network interfaces
bandwidth with the number of bytes received and sent by the Center per second.
For example, the Collection network interface activity lets you see the amount of data
exchanged between the Center and the sensors.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 153
Cyber Vision
Disk I/O:

The line chart represents the Center hard disk usage with the number of bytes read and
written per second.

Database:

This section describes the database state by showing cards with the number of flows,
components and variables that have been detected by Cisco Cyber Vision. Flows
distribution is shown in a pie chart.
Data is updated each time you access the Center statistics view (the latest count is
indicated on top of the database section). However, the Get Count button actualizes the
database performance to the current time.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 154
Cyber Vision

The flows card indicates the total number of flows (i.e. broadcast, multicast and unicast
which are stored in the database) detected by Cisco Cyber Vision. If you mouse over the
card, you will get the number of activities and the flows evolution tendency. This
information enables you to anticipate how the system load might be affected by flows in
the future.

The variables card indicates the total number of variables detected by Cisco Cyber Vision.
This indicator is important because an overload of variables could impact the Cisco Cyber
Vision performances. If you mouse over the card you will get the number of process
variables and the number of system variables.
■ Process variables are the number of variables used by PLCs' software. Process
variables are visible in the Monitor mode of the Cisco Cyber Vision GUI.
■ System variables are the number of variables necessary to PLCs' proper operation.
System variables are stored in the Cisco Cyber Vision database.

The flows distribution pie chart indicates the distribution of broadcast, multicast and
unicast flows stored in the database. Mouse over the chart to see the absolute number
of flows per flow type.

4.8.2 Sensors
The sensors statistics view provides data about the CPU, RAM, disk, network interfaces
bandwidth and packets captured for each sensor enrolled in Cisco Cyber Vision.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 155
Cyber Vision

Note
Most data presented below evolve as you select a different period of time.

On the left you have a list of the sensors (only one sensor is represented here). Click on a
sensor name to access its statistics.
On top of the sensors statistics view you will find general information about the sensor:
its status (i.e. Connected), its serial number, its IP and MAC addresses, its firmware
version, the capture mode set and the time it has been operating (i.e. uptime).
The button on the right generates a diagnostic file about the sensor that is sometimes
requested by the Cisco product support in case of trouble.

System health:
The system health gives you the state of the sensor CPU, RAM and disk usage.
Usages (i.e. minimum, maximum and average) are indicated for each of these system
resources while the absolute value is shown in a tooltip if you mouse over te line chart.

Below, you have the percentage of the system current usage. There is also an indicative
hardware score which is useful to Cisco product support.

Packets captured:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 156
Cyber Vision

This line chart represents the number of packets that the sensor captures on the
Industrial network interface (in bytes per second). Packets dropped are also represented
but the value should stand to zero. If the dropped line shows activity then the sensor is
overloaded and is not capturing traffic.

Network interfaces bandwidth:

The line charts represent the Collection and the Industrial network interfaces bandwidth
with the number of bytes received and sent by the Center per second.
■ The Collection Network interface activity chart lets you see the amount of data
exchanged between the Center and the sensors.
■ The Industrial ones lets you see the amount of data captured by the sensor on the
industrial network through each ports couple.
Data sent to the industrial network is also represented but value should stand to
zero. If the transmitted line shows activity then the sensor is not passive anymore. If
this situation happens, please contact Cisco support immediately.

Disk I/O:

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 157
Cyber Vision

The line chart represents the sensor hard disk usage with the number of bytes read and
written per second.

4.9 My settings
You can set up your personal account by clicking Settings in the user menu on the top
right corner of Cisco Cyber Vision.

From this page, you can:

■ Modify your first and last name.
■ Change the interface language. Cisco Cyber Vision is available in English, French and
German.
■ Restore interface notifications.
■ Change your password.
Passwords must contain at least 6 characters and comply with the rules below.
Passwords:
♦ Must contain a lower case character: a-z.
♦ Must contain an upper case character: A-Z.
♦ Must contain a numeric character: 0-9.
♦ Cannot contain the user id.
♦ Must contain a special character: ~!"#$%&’()*+,-./:;<=>?@[]^_{|}.

IMPORTANT

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide

Navigating through Cisco Page 158
Cyber Vision

Passwords should be changed regularly to ensure the platform and the

industrial network security.

Note
Your email will be requested for login access.

Rev. 0.0.4 Cisco Cyber Vision GUI User Guide