Cisco Cisco Firepower Management Center 4000
41-16
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
Step 1
Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2
Select
Set Attribute Value (v1.0)
from the
Add a module type
drop-down list and click
Add
.
The Edit Instance page appears.
Step 3
In the
Instance Name
field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces
and no special characters other than underscore (_) and dash (-).
Step 4
In the
Description
field, specify a description that includes 0 to 255 alphanumeric characters, including
spaces and special characters.
Step 5
Click
Create
.
The instance is created.
Set Attribute Value Remediations
License:
FireSIGHT
You can create a set attribute value remediation for each attribute value you want to be able to set in
response to a correlation rule violation. If the attribute you want to set is a text attribute, you can set the
remediation to use the description from the event as the attribute value.
response to a correlation rule violation. If the attribute you want to set is a text attribute, you can set the
remediation to use the description from the event as the attribute value.
To create a set attribute value remediation:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2
Click
View
next to the scan instance where you want to add a remediation.
The Edit Instance page appears.
Step 3
Select
Set Attribute Value
from the
Add a new remediation of type
drop-down list.
The Edit Remediation page appears.
Step 4
In the
Remediation Name
field, type a name for the remediation that includes 1 to 63 alphanumeric
characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 5
In the
Description
field, type a description for the remediation that includes 0 to 255 alphanumeric
characters, including spaces and special characters.
Step 6
If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event,
user event, or a connection event, configure the
user event, or a connection event, configure the
Update Which Host(s) From Event
option.
•
Select
Update Source and Destination Hosts
to update the attribute value on the hosts represented by the
source IP address and the destination IP address in the event.
•
Select
Update Source Host Only
to update the attribute value on the host represented by the event’s
source IP address.
•
Select
Update Destination Host Only
to update the attribute value on the host represented by the event’s
destination IP address.