cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1246
Views
0
Helpful
1
Replies

DNS names in alerts and reports

Dear community,

I would like to ask you for a help with following topics

1. We have setup automatic email alerting on our FMC in case intrusion event or malware event is detected.

below is an example of **Auto Generated Email** alert for detected intrusion event.

 

[1:42944:2] "OS-WINDOWS Microsoft Windows SMB remote code execution attempt" [Impact: Potentially Vulnerable] From "FTD Name" at Wed Dec 4 11:35:20 2019 UTC [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {tcp} 10.7.0.57:50949 (unknown)->10.54.0.173:445 (unknown)

 

My question is is it possible to customize information displayed in this alert? Is is possible to display DNS records for affected IPs directly in auto-generated alert? Since we have many branch locations with different IP scopes we are spending additional time after alert is received to find responsible person. Since we have standardised hostnames we are able to identify branch location directly based on it. If this is not possible would it be possible for example to create IP scopes directly on FMC according to our branch locations scopes so in case of alert IP would be directly targeted to this scope and this info displayed in alert? Or is there any other way to identify IP address directly in received alert?

 

2. Similar problem we are experiencing during analysis of events or reporting. In analysis everywhere only IP addresses are displayed and there is no additional column to display which would show DNS of this IP. Only if I click on icon next to IP address "Host View" additional info for IP address is displayed including DNS, which is a proof DNS resolving is working OK. The same problem we have on reports, we are only able to report IP addresses and no additional info to directly identify the problematic host.

 

Thank you in advance for any help on how to improve IP to exact hosts identification in FMC.

 

1 Reply 1

there are few think you could employee. but it depends what setup you have in production network. you could use ISE pxGrid and integrate with your FMC (with help of your AD) or you could look for Identity agent. doing this you will see the ip addresses you resolved into username/host machine name.

 

let see what other peoples suggest you.

 

please do not forget to rate.
Review Cisco Networking for a $25 gift card