Cisco Cisco Firepower Management Center 4000
C H A P T E R
41-1
FireSIGHT System User Guide
41
Configuring Remediations
When a correlation policy violation occurs, you can configure the FireSIGHT System to initiate one or
multiple responses, which include remediations (such as running an Nmap scan) and various types of
alerts.
multiple responses, which include remediations (such as running an Nmap scan) and various types of
alerts.
The most basic kind of response you can launch is an alert. Alerts notify you, via email, a SNMP trap
server, or syslog, of a policy violation. For information on creating alerts, see
server, or syslog, of a policy violation. For information on creating alerts, see
.
Another kind of response you can launch is a remediation. A remediation is a program that the Defense
Center runs when your network traffic violates a correlation policy. The FireSIGHT System ships with
predefined remediations, which perform actions such as blocking a host at the firewall or router when it
violates a policy or scanning the host.
Center runs when your network traffic violates a correlation policy. The FireSIGHT System ships with
predefined remediations, which perform actions such as blocking a host at the firewall or router when it
violates a policy or scanning the host.
When the Defense Center launches a remediation, it generates a remediation status event. You can
search, view, and delete remediation status events, as you would any other event.
search, view, and delete remediation status events, as you would any other event.
The FireSIGHT System also provides a flexible API that allows you to create custom remediation
modules to respond to correlation policy violations. For example, if you are running a Linux-based
firewall, you could write and upload a remediation module that dynamically updates the
modules to respond to correlation policy violations. For example, if you are running a Linux-based
firewall, you could write and upload a remediation module that dynamically updates the
iptables
file
on the Linux server so that traffic violating a correlation policy is blocked. For more information about
writing your own remediation modules, refer to the Cisco Remediation API Guide.
writing your own remediation modules, refer to the Cisco Remediation API Guide.
Note
You must use a Defense Center to configure and use remediations.
For more information, see:
•
•
Creating Remediations
License:
FireSIGHT
In addition to alerts, which are simple notifications of a correlation policy violation, you can also
configure responses called remediations. Remediations are programs that the Defense Center runs when
a correlation policy is violated. These programs use information provided in the event that triggered the
violation to perform a specific action.
configure responses called remediations. Remediations are programs that the Defense Center runs when
a correlation policy is violated. These programs use information provided in the event that triggered the
violation to perform a specific action.
The FireSIGHT System ships with several predefined remediation modules: