Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
1-5
FireSIGHT System Remediation API Guide
Chapter 1 Understanding the Remediation Subsystem
Using the Remediation Subsystem
Remediation Module Architecture
Each remediation module that you install on your Defense Center includes one or more remediation
types. You assign one or more remediation types to each instance. For information on configuring
remediations as responses to policy violations, see the Configuring Responses for Correlation Policies
chapter in the FireSIGHT System User Guide.
types. You assign one or more remediation types to each instance. For information on configuring
remediations as responses to policy violations, see the Configuring Responses for Correlation Policies
chapter in the FireSIGHT System User Guide.
Remediation modules include the following components:
•
the remediation program, included in the remediation module package at installation. See
.
•
a required XML
module.template
file, also included in the remediation module package at
installation. This file provides module-level information about your module and its data
requirements that the remediation subsystem references each time it launches one of the remediation
module’s instances. See
requirements that the remediation subsystem references each time it launches one of the remediation
module’s instances. See
•
one XML
instance.conf
file per instance. The Defense Center auto-generates this file each time
you configure a new instance of your remediation module.
Using the Remediation Subsystem
You deploy remediations by adding them as responses to specific rules in correlation policies on your
Defense Center. You define the associations of correlation policies and remediations using the Defense
Center web interface.
Defense Center. You define the associations of correlation policies and remediations using the Defense
Center web interface.
To deploy a remediation module, you must:
Step 1
Identify the condition you want to mitigate and the actions that appropriately resolve that condition in
your environment. These actions are the main functions your custom remediation program must
implement.
your environment. These actions are the main functions your custom remediation program must
implement.
If you can use a Cisco-provided remediation module, skip directly to step
.
Step 2
If you need to produce a custom remediation module, familiarize yourself with the data elements
obtainable from the remediation subsystem. See
obtainable from the remediation subsystem. See
.
Step 3
If you develop a custom remediation module you must also create a
module.template
file to be included
in your module package. See
and syntax of the
module.template
file.
Step 4
Write your remediation program so that it addresses all the functions necessary for the desired
remediations. You can write your remediation module programs in bash, tsch, Perl or C. Develop your
program using the technical guidance in
remediations. You can write your remediation module programs in bash, tsch, Perl or C. Develop your
program using the technical guidance in
.
Step 5
Package your remediation module as described in
.
Step 6
Install the module on the Defense Center using the web interface as described in
.
Step 7
Ensure that the individual remediation types in your remediation module are assigned as responses to
the correct correlation rules in your active correlation policies. See the FireSIGHT System User Guide
for procedure details.
the correct correlation rules in your active correlation policies. See the FireSIGHT System User Guide
for procedure details.