cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2515
Views
2
Helpful
3
Replies

Email alerts for Security Intelligence events

deyster94
Level 5
Level 5

Is there any way to setup email alerts for Security Intelligence events?  I haven't seen anything other than syslog and SNMP traps. 

TIA,

Dan

3 Replies 3

jsenovilla
Level 1
Level 1

Hi Dan,

First of all, you must to setup an email SMTP server in the "System Policy" or "Sysem Settings" in your Firesight Management Center (FMC) or Defense Center (DC).

After that, here you are the steps to send "Security Intelligence" events via email:

SecurityIntelligence1.png

SecurityIntelligence2.png

Regards, Juan.

miculp
Cisco Employee
Cisco Employee

in addition to setting up the "mail notification: in the system settings, you'll have to create a correlation policy&rule to match an event. Then you can use an email action to alert you. So there's really three things you need to be aware of.

- "email notification" under system settings

- "email action" under policies, actions

- "correlation policy" under policies, correlation

The first step is to setup your mail relay. Once that's verified working, you need to setup your email action. With that done, you move on to a correlation policy. These can be a bit daunting at first, but once you learn the flow, it's all just a big logic engine/policy.

Correlation:

- Add a rule

     - Name it

- build your rule

     - "If connection event occurs...."

     - Security Intelligence category is <category>

     - save

- add correlation policy

     - name it

     - add rules

     - select and add rule you just made

     - click on "responses" icon next to delete icon

     - choose email action you created earlier

     - save

-Activate policy

     - click the blue slider

Play around with the correlation policies and you'll quickly see how useful these can be.

Correlation policy should be most recommended as we can expect many alert on SI if you connect to internet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: