- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Configuring External Alerting
While the FireSIGHT System provides various views of events within the web interface, you may want to configure external event notification to facilitate constant monitoring of critical systems. You can configure the FireSIGHT System to generate alerts that notify you via email, SNMP trap, or syslog when one of the following is generated:
- an intrusion event with a specific impact flag
- a specific type of discovery event
- a network-based malware event or retrospective malware event
- a correlation event, triggered by a specific correlation policy violation
- a connection event, triggered by a specific access control rule
- a specific status change for a module in a health policy
To have the system send these alerts, you must first create an alert response , which is a set of configurations that allows the FireSIGHT System to interact with the external system where you plan to send the alert. Those configurations may specify, for example, an email relay host, SNMP alerting parameters, or syslog facilities and priorities.
After you create the alert response, you associate it with the event that you want to use to trigger the alert. Note that the process for associating alert responses with events is different depending on the type of event:
- You associate alert responses with impact flags, discovery events, and malware events using their own configuration pages.
- You associate correlation events with alert responses (and remediation responses; see Creating Remediations) in your correlation policies.
- You associate SNMP and syslog alert responses with logged connections using access control rules and policies. Email alerting is not supported for logged connections.
- You associate alert responses with health module status changes using the health monitor.
There is another type of alerting you can perform in the FireSIGHT System, which is to configure email, SNMP, and syslog intrusion event notifications for individual intrusion events, regardless of impact flag. You configure these notifications in intrusion policies; see Configuring External Alerting for Intrusion Rules and Adding SNMP Alerts. The following table explains the licenses you must have to generate alerts.
Working with Alert Responses
The first step in configuring external alerting is to create an alert response, which is a set of configurations that allows the FireSIGHT System to interact with the external system where you plan to send the alert. You can create alert responses to send alerts via email, a simple network management protocol (SNMP) trap, or a system log (syslog).
The information you receive in an alert depends on the type of event that triggered the alert. For example, an impact flag alert contains timestamp, intrusion rule, impact flag, and event description information. As another example, discovery event alerts also contain timestamp and description information, as well as discovery event type information.
If you are using an alert response in a correlation policy, the information in the alert depends on the type of event that triggered the correlation policy violation.
Note If you configure an alert as a response to a correlation rule that contains a connection tracker, the alert information you receive is the same as that for alerts on traffic profile changes, even if the correlation rule itself is based on a different kind of event.
When you create an alert response, it is automatically enabled. Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations.
You manage alert responses on the Alerts page ( Policies > Actions > Alerts ). The slider next to each alert response indicates whether it is active; only enabled alert responses can generate alerts. The page also indicates whether the alert response is being used in a configuration, for example, to log connections in an access control rule. You can sort alert responses by name, type, in use status, and enabled/disabled status by clicking the appropriate column header; click the column header again to reverse the sort.
- Creating an Email Alert Response
- Creating an SNMP Alert Response
- Creating a Syslog Alert Response
- Modifying an Alert Response
- Deleting an Alert Response
- Enabling and Disabling Alert Responses
Creating an Email Alert Response
Note that you cannot perform email alerting on logged connections in an access control policy.
Before you create an email alert response, you should make sure that the Defense Center can reverse-resolve its own IP address. You should also configure your mail relay host as described in Configuring a Mail Relay Host and Notification Address.
To create an email alert response:
Step 1 Select Policies > Actions > Alerts .
Step 2 From the Create Alert drop-down menu, select Create Email Alert .
The Create Email Alert Configuration pop-up window appears.
Step 3 In the Name field, type the name you want to use to identify the alert response.
Step 4 In the To field, type the email addresses where you want to send alerts.
Separate email addresses with commas.
Step 5 In the From field, type the email address that you want to appear as the sender of the alert.
Step 6 Next to Relay Host , verify the listed mail server is the one that you want to use to send the alert.
To change the server, or if you have not yet configured a relay host, click the edit icon (
) to display the System Policy page in a pop-up window, then follow the directions in Configuring a Mail Relay Host and Notification Address. You must apply the system policy after you edit it for your changes to take effect.
The alert response is saved and is automatically enabled.
Creating an SNMP Alert Response
You can create SNMP alert responses using SNMPv1, SNMPv2, or SNMPv3.
Note When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities and SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.
Note If you want to monitor 64-bit values with SNMP, you must use SNMPv2 or SNMPv3. SNMPv1 does not support 64-bit monitoring.
If your network management system requires the Defense Center’s management information base (MIB) file, you can obtain it at
/etc/sf/
DC
EALERT.MIB
.
To create an SNMP alert response:
Step 1 Select Policies > Actions > Alerts .
Step 2 From the Create Alert drop-down menu, select Create SNMP Alert .
The Create SNMP Alert Configuration pop-up window appears.
Step 3 In the Name field, type the name that you want to use to identify the SNMP response.
Step 4 In the Trap Server field, type the hostname or IP address of the SNMP trap server, using alphanumeric characters.
Note that the system does not warn you if you enter an invalid IPv4 address (such as 192.169.1.456) in this field. Instead, the invalid address is treated as a hostname.
Step 5 From the Version drop-down list, select the SNMP version you want to use.
SNMP v3 is the default. If you select SNMP v1 or SNMP v2, different options appear.
Step 6 Which version of SNMP did you select?
-
For SNMP v1 or SNMP v2, type the SNMP community name, using alphanumeric characters or the special characters
*or$,in the Community String field and skip to step 12 .
Note SNMPv2 only supports read-only communities.
Note SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.
Step 7 From the Authentication Protocol drop-down list, select the protocol you want to use for authentication.
Step 8 In the Authentication Password field, type the password required for authentication with the SNMP server.
Step 9 From the Privacy Protocol list, select None to use no privacy protocol or DES to use Data Encryption Standard as the privacy protocol.
Step 10 In the Privacy Password field, type the privacy password required by the SNMP server.
Step 11 In the Engine ID field, type an identifier for the SNMP engine, in hexadecimal notation, using an even number of digits.
When you use SNMPv3, the system uses an Engine ID value to encode the message. Your SNMP server requires this value to decode the message.
Cisco recommends that you use the hexadecimal version of the Defense Center’s IP address. For example, if the Defense Center has an IP address of
10.1.1.77
, use
0a01014D0
.
The alert response is saved and is automatically enabled.
Creating a Syslog Alert Response
When configuring a syslog alert response, you can specify the severity and facility associated with the syslog messages to ensure that they are processed properly by the syslog server. The facility indicates the subsystem that creates the message and the severity defines the severity of the message. Facilities and severities are not displayed in the actual message that appears in the syslog, but are instead used to tell the system that receives the syslog message how to categorize it.
Tip For more detailed information about how syslog works and how to configure it, refer to the documentation for your system. On UNIX systems, the man pages for syslog and syslog.conf provide conceptual information and configuration instructions.
Although you can select any type of facility when creating a syslog alert response, you should select one that makes sense based on your syslog server; not all syslog servers support all facilities. For UNIX syslog servers, the
syslog.conf
file should indicate which facilities are saved to which log files on the server.
The following table lists the syslog facilities you can select.
The following table lists the standard syslog severity levels you can select.
Before you start sending syslog alerts, make sure that the syslog server can accept remote messages.
Step 1 Select Policies > Actions > Alerts .
The Alerts page appears.From the Create Alert drop-down menu, select Create Syslog Alert .
The Create Syslog Alert Configuration pop-up window appears.
Step 2 In the Name field, type the name you want to use to identify the saved response.
Step 3 In the Host field, type the hostname or IP address of your syslog server.
Note that the system does not warn you if you enter an invalid IPv4 address (such as 192.168.1.456) in this field. Instead, the invalid address is treated as a hostname.
Step 4 In the Port field, type the port the server uses for syslog messages.
By default, this value is 514.
Step 5 From the Facility list, select a facility.
See the Available Syslog Facilities table for a list of the available facilities.
Step 6 From the Severity list, select a severity.
See the Syslog Severity Levels table for a list of the available severities.
Step 7 In the Tag field, type the tag name that you want to appear with the syslog message.
Use only alphanumeric characters in tag names. You cannot use spaces or underscores.
As an example, if you wanted all messages sent to the syslog to be preceded with
From
DC
, type
From
DC
in the field.
The alert response is saved and is automatically enabled.
Modifying an Alert Response
For most types of alerting, if an alert response is enabled and in use, changes to the alert response take effect immediately. However, for alert responses used in access control rules to log connection events, changes do not take effect until you reapply the access control policy.
Step 1 Select Policies > Actions > Alerts .
Step 2 Next to the alert response you want to edit, click the edit icon (
).
A configuration pop-up window for that alert response appears.
Step 3 Make changes as needed.
Deleting an Alert Response
You can delete any alert response that is not in use.
Step 1 Select Policies > Actions > Alerts .
Step 2 Next to the alert response you want to delete, click the delete icon (
).
Step 3 Confirm that you want to delete the alert response.
The alert response is deleted.
Enabling and Disabling Alert Responses
Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations. Note that if an alert is in use when you disable it, it is still considered in use even though it is disabled.
To enable or disable an alert response:
Step 1 Select Policies > Actions > Alerts .
Step 2 Next to the alert response you want to enable or disable, click the enable/disable slider.
If the alert response was enabled, it is disabled. If it was disabled, it is enabled.
Configuring Impact Flag Alerting
You can configure the system to alert you whenever an intrusion event with a specific impact flag occurs. Impact flags help you evaluate the impact an intrusion has on your network by correlating intrusion data, network discovery data, and vulnerability information. For more information, see Using Impact Levels to Evaluate Events.
To configure impact flag alerting:
Step 1 Select Policies > Actions > Alerts , then select the Impact Flag Alerts tab.
The Impact Flag Alerts page appears.
Step 2 In the Alerts section, select the alert response you want to use for each alert type.
To create a new alert response, select New from any drop-down list. For more information, see Working with Alert Responses.
Step 3 In the Impact Configuration section, select the check boxes that correspond to the alerts you want to receive for each impact flag.
Your impact flag alerting settings are saved.
Configuring Discovery Event Alerting
You can configure the system to alert you whenever a specific type of discovery event occurs. For information about the different event types, see Understanding Discovery Event Types and Understanding Host Input Event Types.
Note that to generate an alert based on a discovery event type, you must configure your network discovery policy to log that event type; see Configuring Discovery Event Logging. By default, logging is enabled for all event types.
To configure discovery event alerting:
Step 1 Select Policies > Actions > Alerts , then select the Discovery Event Alerts tab.
The Discovery Event Alerts page appears.
Step 2 In the Alerts section, select the alert response you want to use for each alert type.
To create a new alert response, select New from any drop-down list. For more information, see Working with Alert Responses.
Step 3 In the Events Configuration section, select the check boxes that correspond to the alerts you want to receive for each discovery event type.
Your discovery event alerting settings are saved.
Configuring Advanced Malware Protection Alerting
Supported Devices: Series 3 or virtual
Supported Defense Centers: Any except DC500
You can configure the system to alert you whenever any network-based malware event, including a retrospective event, is generated. You cannot, however, alert on endpoint-based (FireAMP) malware events. For information on malware events, see Working with Malware Events.
To generate alerts based on malware events, you must create a file policy that performs malware cloud lookups, then associate that policy with an access control rule. For more information, see Controlling Traffic Using Intrusion and File Policies.
To configure malware event alerting:
Step 1 Select Policies > Actions > Alerts , then select the Advanced Malware Protections Alerts tab.
The Advanced Malware Protection Alerts page appears.
Step 2 In the Alerts section, select the alert response you want to use for each alert type.
To create a new alert response, select New from any drop-down list. For more information, see Working with Alert Responses.
Step 3 In the Event Configuration section, select the check boxes that correspond to the alerts you want to receive for each malware event type.
Keep in mind that All network-based malware events includes Retrospective Events .
Your malware event alerting settings are saved.
Feedback