03-14-2018 11:13 AM
Is there any way to setup email alerts for Security Intelligence events? I haven't seen anything other than syslog and SNMP traps.
TIA,
Dan
05-11-2018 05:11 AM
Hi Dan,
First of all, you must to setup an email SMTP server in the "System Policy" or "Sysem Settings" in your Firesight Management Center (FMC) or Defense Center (DC).
After that, here you are the steps to send "Security Intelligence" events via email:
Regards, Juan.
05-17-2018 04:26 PM
in addition to setting up the "mail notification: in the system settings, you'll have to create a correlation policy&rule to match an event. Then you can use an email action to alert you. So there's really three things you need to be aware of.
- "email notification" under system settings
- "email action" under policies, actions
- "correlation policy" under policies, correlation
The first step is to setup your mail relay. Once that's verified working, you need to setup your email action. With that done, you move on to a correlation policy. These can be a bit daunting at first, but once you learn the flow, it's all just a big logic engine/policy.
Correlation:
- Add a rule
- Name it
- build your rule
- "If connection event occurs...."
- Security Intelligence category is <category>
- save
- add correlation policy
- name it
- add rules
- select and add rule you just made
- click on "responses" icon next to delete icon
- choose email action you created earlier
- save
-Activate policy
- click the blue slider
Play around with the correlation policies and you'll quickly see how useful these can be.
05-17-2018 09:05 PM
Correlation policy should be most recommended as we can expect many alert on SI if you connect to internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide