Cisco Cisco Firepower Management Center 4000

When a correlation policy violation occurs, you can configure the FireSIGHT System to initiate one or 
multiple responses, which include remediations (such as running an Nmap scan) and various types of 
alerts.

The most basic kind of response you can launch is an alert. Alerts notify you, via email, a SNMP trap 
server, or syslog, of a policy violation. For information on creating alerts, see 

.

Another kind of response you can launch is a remediation. A remediation is a program that the Defense 
Center runs when your network traffic violates a correlation policy. The FireSIGHT System ships with 
predefined remediations, which perform actions such as blocking a host at the firewall or router when it 
violates a policy or scanning the host.

When the Defense Center launches a remediation, it generates a remediation status event. You can 
search, view, and delete remediation status events, as you would any other event.

The FireSIGHT System also provides a flexible API that allows you to create custom remediation 
modules to respond to correlation policy violations. For example, if you are running a Linux-based 
firewall, you could write and upload a remediation module that dynamically updates the 

iptables

 file 

on the Linux server so that traffic violating a correlation policy is blocked. For more information about 
writing your own remediation modules, refer to the Cisco Remediation API Guide.

You must use a Defense Center to configure and use remediations.

For more information, see:

FireSIGHT

In addition to alerts, which are simple notifications of a correlation policy violation, you can also 
configure responses called remediations. Remediations are programs that the Defense Center runs when 
a correlation policy is violated. These programs use information provided in the event that triggered the 
violation to perform a specific action.

The FireSIGHT System ships with several predefined remediation modules: