03-14-2018 11:13 AM
Is there any way to setup email alerts for Security Intelligence events? I haven't seen anything other than syslog and SNMP traps.
TIA,
Dan
05-11-2018 05:11 AM
Hi Dan,
First of all, you must to setup an email SMTP server in the "System Policy" or "Sysem Settings" in your Firesight Management Center (FMC) or Defense Center (DC).
After that, here you are the steps to send "Security Intelligence" events via email:
Regards, Juan.
05-17-2018 04:26 PM
in addition to setting up the "mail notification: in the system settings, you'll have to create a correlation policy&rule to match an event. Then you can use an email action to alert you. So there's really three things you need to be aware of.
- "email notification" under system settings
- "email action" under policies, actions
- "correlation policy" under policies, correlation
The first step is to setup your mail relay. Once that's verified working, you need to setup your email action. With that done, you move on to a correlation policy. These can be a bit daunting at first, but once you learn the flow, it's all just a big logic engine/policy.
Correlation:
- Add a rule
- Name it
- build your rule
- "If connection event occurs...."
- Security Intelligence category is <category>
- save
- add correlation policy
- name it
- add rules
- select and add rule you just made
- click on "responses" icon next to delete icon
- choose email action you created earlier
- save
-Activate policy
- click the blue slider
Play around with the correlation policies and you'll quickly see how useful these can be.
05-17-2018 09:05 PM
Correlation policy should be most recommended as we can expect many alert on SI if you connect to internet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: