Cisco Cisco Firepower Management Center 4000

Page of 1844
 
31-7
FireSIGHT System User Guide
 
Chapter 31      Configuring External Alerting for Intrusion Rules
  Understanding Email Alerting
  •
last email time (the time that the system generated the last email report)
  •
current time (the time that the system generated the current email report)
  •
total number of new alerts
  •
number of events that matched specified email filters (if events are configured for specific rules)
  •
timestamp, protocol, event message, and session information (source and destination IPs and ports 
with traffic direction) for each event (if Summary Output is off)
Note
If multiple intrusion events originate from the same source IP, a note appears beneath the 
event that displays the number of additional events.
  •
number of events per destination port 
  •
number of events per source IP
For each rule or rule group, you can enable or disable email alerting on intrusion events. Your email alert 
settings are used regardless of which intrusion policy you apply to the device as part of an access control 
policy. 
The following list describes the parameters you can set for email alerting.
On/Off
Enables or disables email notification.
From Address
Specifies the email address or addresses from which the system sends intrusion events.
To Address
Specifies the email address where the system sends intrusion events. To send email to multiple 
recipients, separate email addresses with commas. For example:
user1@example.com, user2@example.com
Max Alerts
Specifies the maximum number of intrusion events the system sends via email in the time frame 
specified by Frequency (seconds).
Frequency (seconds)
Specifies how often the system mails intrusion events. The Frequency setting also specifies the 
frequency with which email settings are saved.
Minimum frequency: 300 seconds 
 
Maximum frequency: 4 billion seconds
Coalesce Alerts
Enables or disables grouping of intrusion events by source IP and event so that multiple identical 
intrusion events generated against the same source IP only present one event on the page. 
Note that alert coalescence (grouping) occurs after events are filtered. Therefore, if you configure 
email alerting on specific rules, you will only receive a list of events that match the rules you 
specified in the Mail Alerting Configuration.