Solved: Re: FMC: Disable email notification for specific blocked intrusions

HQuest · ‎07-06-2021

Running FMC 7.0.0-64, I have email notifications (Policies / Actions / Alerts / Intrusion Email) turned on for intrusion policies (Snort 3, if that makes any difference), and there are only a few of those notifications that are enabled (as set on Email Alerting per Rule Configuration). Yet, emails are also delivered for the unchecked notifications.

I have followed the support configuration (https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/external_alerting_for_intrusion_events.html#ID-2212-00000254).

Since I do want these SIDs taking action but I do not need all the email notifications but only a handful, am I missing the correct configuration or is this just another FMC bug?

HQuest · ‎07-07-2021

Well, seems there are multiple sources and configurations for notifications on FMC - and I failed to identify this. The notifications I'm receiving were set by the Policies / Actions / Alerts section, which are then sent whenever matched from the policies themselves. Therefore, by disabling the email alerts from the Alerts section, and enabling only those SIDs I want from the Intrusion Email configuration page, FMC can email me only what I'm after.

View solution in original post

HQuest · ‎07-07-2021

Well, seems there are multiple sources and configurations for notifications on FMC - and I failed to identify this. The notifications I'm receiving were set by the Policies / Actions / Alerts section, which are then sent whenever matched from the policies themselves. Therefore, by disabling the email alerts from the Alerts section, and enabling only those SIDs I want from the Intrusion Email configuration page, FMC can email me only what I'm after.