Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
5
Helpful
4
Replies

Possible to send IoC events from FMC to SNMP/Email?

Chess Norris
Level 4
Level 4

‎02-06-2023 01:47 AM

Hello,

We are running FMC 7.2 and on the summery dashboard on the Threats TAB, there is a list called  "Indication of Compromise by Host" where we can see hosts that have downloaded malware and are CnC connected. It looks like this:

1.jpg

We would like to get an email or/and a SNMP alert whenever this happens, but I cannot find where I can configure this. 

I've looked under Policys->Actions->Alerts->Advanced Malware Protection Alerts, but I am not sure this is exactly the same alerts? 

Thanks

/Chess

1 person had this problem
0 Helpful
4 Replies 4

Chess Norris
Level 4
Level 4

‎02-09-2023 12:21 AM - edited ‎02-09-2023 12:33 AM

Did some more invistagation into this and the IoC events we see in the Threat TAB in the dashboard comes from the Analysis->Hosts->Indications of Compromise page.  Is it possible to get emaill alerts for those events?

2.JPG

Thanks

/Chess

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-09-2023 01:13 AM - edited ‎02-09-2023 01:17 AM

You could look into Monitor Alerts, there you can create alerts for Security intelligence on the FMC.

Another option, and perhaps a better option, is to integrate your FMC with SecureX, there you should be able to create playbooks based on events and those events trigger actions like sending an email.

https://www.cisco.com/c/en/us/td/docs/security/firepower/integrations/SecureX/secure_firewall_management_center_and_securex_integration_guide/introduction_about_the_integration.html

https://blogs.cisco.com/security/automate-your-way-to-success-with-cisco-securex

 

--
Please remember to select a correct answer and rate helpful posts

Chess Norris
Level 4
Level 4
In response to Marius Gunnerud

‎02-09-2023 05:03 AM - edited ‎02-09-2023 05:17 AM

Thanks Marius. I will have a look at that.

Edit. Is this the correct one? This was the only one I found related to Security Intelligence, but it seems more like an update alert?

3.JPG

Best regards

/Chess

0 Helpful

rgeelen
Level 1
Level 1

‎09-11-2024 06:17 AM - edited ‎09-11-2024 06:54 AM

Same question here. IoC is an interesting event to receive in both mail alert and SNMP trap from FMC.
However I also feel the need to differentiate on type of IoC: 

Outside in: blocked and happens all the time: not that much interested in 
Inside out: that looks like we have a host with a CnC infection: very interesting to know and investigate further
Inside to inside host: same as above. 

I am starting to test with a rule under Policies - Correlation - Rule Management and use as connections event with an IOC Tag for certain networks. After that under Policy Management connect new Rule to the SNMP settings to that rule. Hope that works as expected. 

Cheers /Ruud

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card