cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1339
Views
5
Helpful
6
Replies
ryan14
Beginner

Trigger email alert for file/malware detection

How do I configure an email alert message for something logged in the Firepower Management Center?

1 ACCEPTED SOLUTION

Accepted Solutions
InTheJuniverse
Beginner

If you intend to be alerted if a malware is detected in network, then you'd achieve that through correlation

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Correlation_Policies.html

View solution in original post

6 REPLIES 6
InTheJuniverse
Beginner

Please clarify, the subject of this question and the body seem to be talking about two different requests.

InTheJuniverse
Beginner

If you intend to be alerted if a malware is detected in network, then you'd achieve that through correlation

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Correlation_Policies.html

View solution in original post

Thanks for the reply. I basically want to be alerted if the file access policy detects a bad file and blocks it. The "action" tab is misleading in the rules of the policy itself. What is the difference between block files and block malware? I just want to know about if the policy did find something and it blocked a file whether is malware or blocked it for other reasons, without manually going to the dashboard.

Hi, From FMC 6.3 you can send a syslog message for file and malware events. You could then configure your syslog server to send an email alert based on the syslog message it received.

Blocking a file would block all defined files (e.g *.pdf) regardless of whether the file was malware or not, it does not query the AMP cloud. Whereas block malware would obviously block a file if it was determined to be malicous.

HTH

That makes sense, appreciate the feedback.
ryan14
Beginner

Thanks for leading me into the right direction. I have created a correlation rule and configured an alert via Policies -> Actions->Alerts then Advance Malware Protection alerts and it worked. Thank you.

Content for Community-Ad