First of all, you must to setup an email SMTP server in the "System Policy" or "Sysem Settings" in your Firesight Management Center (FMC) or Defense Center (DC).
After that, here you are the steps to send "Security Intelligence" events via email:
in addition to setting up the "mail notification: in the system settings, you'll have to create a correlation policy&rule to match an event. Then you can use an email action to alert you. So there's really three things you need to be aware of.
- "email notification" under system settings
- "email action" under policies, actions
- "correlation policy" under policies, correlation
The first step is to setup your mail relay. Once that's verified working, you need to setup your email action. With that done, you move on to a correlation policy. These can be a bit daunting at first, but once you learn the flow, it's all just a big logic engine/policy.
- Add a rule
- Name it
- build your rule
- "If connection event occurs...."
- Security Intelligence category is <category>
- add correlation policy
- name it
- add rules
- select and add rule you just made
- click on "responses" icon next to delete icon
- choose email action you created earlier
- click the blue slider
Play around with the correlation policies and you'll quickly see how useful these can be.