Cisco Cisco Firepower Management Center 2000 Guía Del Desarrollador
C H A P T E R
1-1
FireSIGHT System Remediation API Guide
1
Understanding the Remediation Subsystem
The FireSIGHT System® remediation API allows you to create remediations that your Defense Center
can automatically launch when conditions on your network violate the associated correlation policy. A
remediation is the response your software program executes to mitigate the detected condition. For
example, you can block traffic at a router on the source or destination IP address, or initiate a host Nmap
scan to assess the host status. If multiple rules in a policy trigger, the Defense Center can launch
responses for each rule. A remediation module is the package of files you install on the Defense Center
to perform the response. A remediation module can incorporate several remediation types as shown in
the graphic below.
can automatically launch when conditions on your network violate the associated correlation policy. A
remediation is the response your software program executes to mitigate the detected condition. For
example, you can block traffic at a router on the source or destination IP address, or initiate a host Nmap
scan to assess the host status. If multiple rules in a policy trigger, the Defense Center can launch
responses for each rule. A remediation module is the package of files you install on the Defense Center
to perform the response. A remediation module can incorporate several remediation types as shown in
the graphic below.
For example, one of the system-provided remediation modules, the Cisco PIX router module, performs
two remediation types: it either blocks packets by source IP address or blocks them by destination IP
address.
two remediation types: it either blocks packets by source IP address or blocks them by destination IP
address.
If a remediation module targets multiple devices on your network (routers, hosts, and so forth), you
configure your remediation module to perform multiple instances, one per device, when the correlation
policy triggers. An instance is an instantiation of the remediation module, with one or more remediation
types that correspond to functions in the remediation module code, and with a set of variables needed to
run on the target device. For each instance, you specify the remediation type or types it executes and the
instance-specific information such as the device’s IP address and password for the remediation to access
the target device on your network.
configure your remediation module to perform multiple instances, one per device, when the correlation
policy triggers. An instance is an instantiation of the remediation module, with one or more remediation
types that correspond to functions in the remediation module code, and with a set of variables needed to
run on the target device. For each instance, you specify the remediation type or types it executes and the
instance-specific information such as the device’s IP address and password for the remediation to access
the target device on your network.