Re: Firepower correlation and remediation

szcadkoinar · ‎04-17-2024

With the massive number of attacks on AnyConnect and other VPN's, I've begun looking into how to further remediate these login attempts. We have MFA in place.

I'm having trouble understanding how to associate a remediation with a correlation policy.

Our FTD is sitting behind a router. I'd like to use that router and the Cisco IOS Null Route module to null route IP's after x number of login attempts as well as login attempts outside of the US.

How do I associate a remediation policy with the correlation policy? Does anyone happen to have a similar walk through for this?

router login 192.168.l.l

tvotna · ‎04-18-2024

I tested it, but it was while ago. What I don't understand is how your correlation rule will look like. Do we have Intrusion rule for excessive number of login attempts or what your correlation rule will react on?

From my old records:
- Policies > Actions > Remediation/Modules > enter the module > Add a New Instance
- this will bring you to Policies > Actions > Remediation/Instances. After instance is created the Configured Remediations will be shown at the bottom, choose what you block, Save
- Edit Remediation window is displayed, Create remediation, Done, Save
- Verify: Policies > Actions > Remediation/Modules
- Policies > Correlation > Policy Management > Create Policy, Save, Activate
- Policies > Correlation > Rule Management > Create Rule, configure conditions, Save
- Policies > Correlation > Policy Management > Edit Policy > Add Rule. Here assign rule to the correlation policy. There should be a button on the right to set Correlation Response for the rule, here you can assign Cisco IOS Null Route remediation or Shun Remediation.

MHM Cisco World · ‎04-18-2024

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Check this

MHM