для Cisco Cisco Firepower Management Center 4000
31-7
FireSIGHT System User Guide
Chapter 31 Configuring External Alerting for Intrusion Rules
Understanding Email Alerting
•
last email time (the time that the system generated the last email report)
•
current time (the time that the system generated the current email report)
•
total number of new alerts
•
number of events that matched specified email filters (if events are configured for specific rules)
•
timestamp, protocol, event message, and session information (source and destination IPs and ports
with traffic direction) for each event (if Summary Output is off)
with traffic direction) for each event (if Summary Output is off)
Note
If multiple intrusion events originate from the same source IP, a note appears beneath the
event that displays the number of additional events.
event that displays the number of additional events.
•
number of events per destination port
•
number of events per source IP
For each rule or rule group, you can enable or disable email alerting on intrusion events. Your email alert
settings are used regardless of which intrusion policy you apply to the device as part of an access control
policy.
settings are used regardless of which intrusion policy you apply to the device as part of an access control
policy.
The following list describes the parameters you can set for email alerting.
On/Off
Enables or disables email notification.
From Address
Specifies the email address or addresses from which the system sends intrusion events.
To Address
Specifies the email address where the system sends intrusion events. To send email to multiple
recipients, separate email addresses with commas. For example:
recipients, separate email addresses with commas. For example:
user1@example.com, user2@example.com
Max Alerts
Specifies the maximum number of intrusion events the system sends via email in the time frame
specified by Frequency (seconds).
specified by Frequency (seconds).
Frequency (seconds)
Specifies how often the system mails intrusion events. The Frequency setting also specifies the
frequency with which email settings are saved.
frequency with which email settings are saved.
Minimum frequency: 300 seconds
Maximum frequency: 4 billion seconds
Coalesce Alerts
Enables or disables grouping of intrusion events by source IP and event so that multiple identical
intrusion events generated against the same source IP only present one event on the page.
intrusion events generated against the same source IP only present one event on the page.
Note that alert coalescence (grouping) occurs after events are filtered. Therefore, if you configure
email alerting on specific rules, you will only receive a list of events that match the rules you
specified in the Mail Alerting Configuration.
email alerting on specific rules, you will only receive a list of events that match the rules you
specified in the Mail Alerting Configuration.