Cisco Cisco FirePOWER Appliance 7030
C H A P T E R
15-1
FireSIGHT System User Guide
15
Configuring External Alerting
While the FireSIGHT System provides various views of events within the web interface, you may want
to configure external event notification to facilitate constant monitoring of critical systems. You can
configure the FireSIGHT System to generate alerts that notify you via email, SNMP trap, or syslog when
one of the following is generated:
to configure external event notification to facilitate constant monitoring of critical systems. You can
configure the FireSIGHT System to generate alerts that notify you via email, SNMP trap, or syslog when
one of the following is generated:
•
an intrusion event with a specific impact flag
•
a specific type of discovery event
•
a network-based malware event or retrospective malware event
•
a correlation event, triggered by a specific correlation policy violation
•
a connection event, triggered by a specific access control rule
•
a specific status change for a module in a health policy
To have the system send these alerts, you must first create an alert response, which is a set of
configurations that allows the FireSIGHT System to interact with the external system where you plan to
send the alert. Those configurations may specify, for example, an email relay host, SNMP alerting
parameters, or syslog facilities and priorities.
configurations that allows the FireSIGHT System to interact with the external system where you plan to
send the alert. Those configurations may specify, for example, an email relay host, SNMP alerting
parameters, or syslog facilities and priorities.
After you create the alert response, you associate it with the event that you want to use to trigger the
alert. Note that the process for associating alert responses with events is different depending on the type
of event:
alert. Note that the process for associating alert responses with events is different depending on the type
of event:
•
You associate alert responses with impact flags, discovery events, and malware events using their
own configuration pages.
own configuration pages.
•
You associate correlation events with alert responses (and remediation responses; see
) in your correlation policies.
•
You associate SNMP and syslog alert responses with logged connections using access control rules
and policies. Email alerting is not supported for logged connections.
and policies. Email alerting is not supported for logged connections.
•
You associate alert responses with health module status changes using the health monitor.