cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2051
Views
5
Helpful
6
Replies

Trigger email alert for file/malware detection

ryan14
Level 1
Level 1

How do I configure an email alert message for something logged in the Firepower Management Center?

1 Accepted Solution

Accepted Solutions

InTheJuniverse
Level 1
Level 1

If you intend to be alerted if a malware is detected in network, then you'd achieve that through correlation

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Correlation_Policies.html

View solution in original post

6 Replies 6

InTheJuniverse
Level 1
Level 1

Please clarify, the subject of this question and the body seem to be talking about two different requests.

InTheJuniverse
Level 1
Level 1

If you intend to be alerted if a malware is detected in network, then you'd achieve that through correlation

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Correlation_Policies.html

Thanks for the reply. I basically want to be alerted if the file access policy detects a bad file and blocks it. The "action" tab is misleading in the rules of the policy itself. What is the difference between block files and block malware? I just want to know about if the policy did find something and it blocked a file whether is malware or blocked it for other reasons, without manually going to the dashboard.

Hi, From FMC 6.3 you can send a syslog message for file and malware events. You could then configure your syslog server to send an email alert based on the syslog message it received.

Blocking a file would block all defined files (e.g *.pdf) regardless of whether the file was malware or not, it does not query the AMP cloud. Whereas block malware would obviously block a file if it was determined to be malicous.

HTH

That makes sense, appreciate the feedback.

ryan14
Level 1
Level 1

Thanks for leading me into the right direction. I have created a correlation rule and configured an alert via Policies -> Actions->Alerts then Advance Malware Protection alerts and it worked. Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: