Cisco Cisco Firepower Management Center 4000 Entwickleranleitung
1-3
FireSIGHT System Remediation API Guide
Chapter 1 Understanding the Remediation Subsystem
The Remediation Subsystem
Cisco-Provided Remediation Modules
The following table describes the predefined remediation modules included with the Defense Center.
You should use these modules for reference when designing your remediation programs.
You should use these modules for reference when designing your remediation programs.
The system-provided modules are already installed on the Defense Center and include both the
remediation executable (in Perl and C) and completed
remediation executable (in Perl and C) and completed
module.template
configuration file for each
module. For information on the easy steps to deploy system-provided remediation modules, see the
FireSIGHT System User Guide.
FireSIGHT System User Guide.
The Remediation Subsystem
The remediation subsystem consists of the following components:
•
the Defense Center’s web interface, which you use to set up correlation policies and associate them
with remediations, and to track the status of remediation processing
with remediations, and to track the status of remediation processing
•
the remediation API, which enables you to define the data that will be provided to your remediation
modules
modules
•
the remediation daemon, which passed data to the remediation modules at run time and collects
execution status information
execution status information
•
remediation modules, which perform specific responses to correlation policy violations
Understanding Remediation Subsystem Architecture
The remediation subsystem has a two-part architecture that is diagrammed in the figure below. The
architecture consists of:
architecture consists of:
•
infrastructure components such as the web interface and the remediation daemon which support all
remediation modules. The infrastructure components allow you to create and manage all the
remediation modules on your Defense Center. The remediation daemon manages the execution of
the remediations. See
remediation modules. The infrastructure components allow you to create and manage all the
remediation modules on your Defense Center. The remediation daemon manages the execution of
the remediations. See
for more details.
•
the individual remediation modules which you develop to respond to specific correlation policy
violations. See
violations. See
for more details.
Table 1-2
Cisco-Provided Remediation Modules
Module Name
Function
Cisco IOS Null Route
if you are running Cisco routers that use Cisco IOS® Version 12.0 or higher,
allows you to dynamically block traffic sent to an IP address or network that
violates a correlation policy
allows you to dynamically block traffic sent to an IP address or network that
violates a correlation policy
Cisco PIX Shun
if you are running Cisco PIX® Firewall Version 6.0 or higher, allows you to
dynamically block traffic sent from an IP address that violates a correlation
policy
dynamically block traffic sent from an IP address that violates a correlation
policy
Nmap Scanning
allows you to actively scan specific targets to determine operating systems
and servers running on those hosts
and servers running on those hosts
Set Attribute Value
allows you to set a host attribute on a host where a correlation event occurs