Firepower Management Center Alert Responses
External event notification via SNMP, syslog, or email can help with critical-system monitoring. The Firepower Management Center uses configurable alert responses to interact with external servers. An alert response is a configuration that represents a connection to an email, SNMP, or syslog server. They are called responses because you can use them to send alerts in response to events detected by Firepower. You can configure multiple alert responses to send different types of alerts to different monitoring servers and/or people.
Note |
Depending on your device and Firepower version, alert responses may not be the best way to send syslog messages. See the About Syslog chapter in the Firepower Management Center Device Configuration Guide and Best Practices for Configuring Security Event Syslog Messaging.. |
Note |
Alerts that use alert responses are sent by the Firepower Management Center. Intrusion email alerts, which do not use alert responses, are also sent by the Firepower Management Center. By contrast, SNMP and syslog alerts that are based on individual intrusion rules triggering are sent directly by managed devices. For more information, see External Alerting for Intrusion Events. |
In most cases, the information in an external alert is the same as the information in any associated event you logged to the database. However, for correlation event alerts where the correlation rule contains a connection tracker, the information you receive is the same as for an alert on a traffic profile change, regardless of the base event type.
You create and manage alert responses on the Alerts page (). New alert responses are automatically enabled. To temporarily stop alert generation, you can disable alert responses rather than deleting them.
Changes to alert responses take effect immediately, except when sending connection logs to an SNMP trap or syslog server.
Configurations Supporting Alert Responses
After you create an alert response, you can use it to send the following external alerts from the Firepower Management Center.
Alert/Event Type |
For More Information |
---|---|
Intrusion events, by impact flag |
|
Discovery events, by type |
|
Malware and retrospective malware events detected by AMP for Networks ("network-based") |
|
Correlation events, by correlation policy violation |
|
Connection events, by the logging rule or default action (email alerts not supported) |
|
Health events, by health module and severity level |