Configuring External Alerting
While the FireSIGHT System provides various views of events within the web interface, you may want to configure external event notification to facilitate constant monitoring of critical systems. You can configure the FireSIGHT System to generate alerts that notify you via email, SNMP trap, or syslog when one of the following is generated:
-
an intrusion event with a specific impact flag
-
a specific type of discovery event
-
a network-based malware event or retrospective malware event
-
a correlation event, triggered by a specific correlation policy violation
-
a connection event, triggered by a specific access control rule
-
a specific status change for a module in a health policy
To have the system send these alerts, you must first create an
alert response
, which is a set of configurations that allows the FireSIGHT System to interact with the external system where you plan to send the alert. Those configurations may specify, for example, an email relay host, SNMP alerting parameters, or syslog facilities and priorities.
After you create the alert response, you associate it with the event that you want to use to trigger the alert. Note that the process for associating alert responses with events is different depending on the type of event:
-
You associate alert responses with impact flags, discovery events, and malware events using their own configuration pages.
-
You associate correlation events with alert responses (and remediation responses; see Creating Remediations) in your correlation policies.
-
You associate SNMP and syslog alert responses with logged connections using access control rules and policies. Email alerting is not supported for logged connections.
-
You associate alert responses with health module status changes using the health monitor.
There is another type of alerting you can perform in the FireSIGHT System, which is to configure email, SNMP, and syslog intrusion event notifications for individual intrusion events, regardless of impact flag. You configure these notifications in intrusion policies; see Configuring External Alerting for Intrusion Rules and Adding SNMP Alerts. The following table explains the licenses you must have to generate alerts.
Table 43-1 License Requirements for Generating Alerts
To generate an alert based on...
|
|
an intrusion event with a specific impact flag
|
FireSIGHT + Protection
|
a specific type of discovery event
|
FireSIGHT
|
a network-based malware event
|
Malware
|
a correlation policy violation
|
the license required to trigger the policy violation
|
a connection event
|
the license required to log the connection
|
health module status changes
|
Any
|
For more information, see:
Working with Alert Responses
License:
Any
The first step in configuring external alerting is to create an alert response, which is a set of configurations that allows the FireSIGHT System to interact with the external system where you plan to send the alert. You can create alert responses to send alerts via email, a simple network management protocol (SNMP) trap, or a system log (syslog).
The information you receive in an alert depends on the type of event that triggered the alert. For example, an impact flag alert contains timestamp, intrusion rule, impact flag, and event description information. As another example, discovery event alerts also contain timestamp and description information, as well as discovery event type information.
If you are using an alert response in a correlation policy, the information in the alert depends on the type of event that triggered the correlation policy violation.
Note If you configure an alert as a response to a correlation rule that contains a connection tracker, the alert information you receive is the same as that for alerts on traffic profile changes, even if the correlation rule itself is based on a different kind of event.
When you create an alert response, it is automatically enabled. Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations.
You manage alert responses on the Alerts page (
Policies > Actions > Alerts
). The slider next to each alert response indicates whether it is active; only enabled alert responses can generate alerts. The page also indicates whether the alert response is being used in a configuration, for example, to log connections in an access control rule. You can sort alert responses by name, type, in use status, and enabled/disabled status by clicking the appropriate column header; click the column header again to reverse the sort.
For more information, see:
Creating an Email Alert Response
License:
Any
Note that you
cannot
perform email alerting on logged connections in an access control policy.
Before you create an email alert response, you should make sure that the Defense Center can reverse-resolve its own IP address. You should also configure your mail relay host as described in Configuring a Mail Relay Host and Notification Address.
To create an email alert response:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
.
The Alerts page appears.
Step 2 From the
Create Alert
drop-down menu, select
Create Email Alert
.
The Create Email Alert Configuration pop-up window appears.
Step 3 In the
Name
field, type the name you want to use to identify the alert response.
Step 4 In the
To
field, type the email addresses where you want to send alerts.
Separate email addresses with commas.
Step 5 In the
From
field, type the email address that you want to appear as the sender of the alert.
Step 6 Next to
Relay Host
, verify the listed mail server is the one that you want to use to send the alert.
To change the server, or if you have not yet configured a relay host, click the edit icon (
) to display the System Policy page in a pop-up window, then follow the directions in Configuring a Mail Relay Host and Notification Address. You must apply the system policy after you edit it for your changes to take effect.
Step 7 Click
Save
.
The alert response is saved and is automatically enabled.
Creating an SNMP Alert Response
License:
Any
You can create SNMP alert responses using SNMPv1, SNMPv2, or SNMPv3.
Note When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities and SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.
Note If you want to monitor 64-bit values with SNMP, you must use SNMPv2 or SNMPv3. SNMPv1 does not support 64-bit monitoring.
If your network management system requires the Defense Center’s management information base (MIB) file, you can obtain it at
/etc/sf/
DC
EALERT.MIB
.
To create an SNMP alert response:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
.
The Alerts page appears.
Step 2 From the
Create Alert
drop-down menu, select
Create SNMP Alert
.
The Create SNMP Alert Configuration pop-up window appears.
Step 3 In the
Name
field, type the name that you want to use to identify the SNMP response.
Step 4 In the
Trap Server
field, type the hostname or IP address of the SNMP trap server, using alphanumeric characters.
Note that the system does
not
warn you if you enter an invalid IPv4 address (such as 192.169.1.456) in this field. Instead, the invalid address is treated as a hostname.
Step 5 From the
Version
drop-down list, select the SNMP version you want to use.
SNMP v3 is the default. If you select SNMP v1 or SNMP v2, different options appear.
Step 6 Which version of SNMP did you select?
-
For SNMP v1 or SNMP v2, type the SNMP community name, using alphanumeric characters or the special characters
*
or
$,
in the
Community String
field and skip to step
12
.
Note SNMPv2 only supports read-only communities.
-
For SNMP v3, type the name of the user that you want to authenticate with the SNMP server in the
User Name
field and continue with the next step.
Note SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.
Step 7 From the
Authentication Protocol
drop-down list, select the protocol you want to use for authentication.
Step 8 In the
Authentication Password
field, type the password required for authentication with the SNMP server.
Step 9 From the
Privacy Protocol
list, select
None
to use no privacy protocol or
DES
to use Data Encryption Standard as the privacy protocol.
Step 10 In the
Privacy Password
field, type the privacy password required by the SNMP server.
Step 11 In the
Engine ID
field, type an identifier for the SNMP engine, in hexadecimal notation, using an even number of digits.
When you use SNMPv3, the system uses an Engine ID value to encode the message. Your SNMP server requires this value to decode the message.
Cisco recommends that you use the hexadecimal version of the Defense Center’s IP address. For example, if the Defense Center has an IP address of
10.1.1.77
, use
0a01014D0
.
Step 12 Click
Save
.
The alert response is saved and is automatically enabled.
Creating a Syslog Alert Response
License:
Any
When configuring a syslog alert response, you can specify the severity and facility associated with the syslog messages to ensure that they are processed properly by the syslog server. The facility indicates the subsystem that creates the message and the severity defines the severity of the message. Facilities and severities are not displayed in the actual message that appears in the syslog, but are instead used to tell the system that receives the syslog message how to categorize it.
Tip For more detailed information about how syslog works and how to configure it, refer to the documentation for your system. On UNIX systems, the man
pages for syslog
and syslog.conf
provide conceptual information and configuration instructions.
Although you can select any type of facility when creating a syslog alert response, you should select one that makes sense based on your syslog server; not all syslog servers support all facilities. For UNIX syslog servers, the
syslog.conf
file should indicate which facilities are saved to which log files on the server.
The following table lists the syslog facilities you can select.
Table 43-2 Available Syslog Facilities
|
|
ALERT
|
An alert message.
|
AUDIT
|
A message generated by the audit subsystem.
|
AUTH
|
A message associated with security and authorization.
|
AUTHPRIV
|
A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file.
|
CLOCK
|
A message generated by the clock daemon.
Note that syslog servers running a Windows operating system will use the
CLOCK
facility.
|
CRON
|
A message generated by the clock daemon.
Note that syslog servers running a Linux operating system will use the
CRON
facility.
|
DAEMON
|
A message generated by a system daemon.
|
FTP
|
A message generated by the FTP daemon.
|
KERN
|
A message generated by the kernel. On many systems, these messages are printed to the console when they appear.
|
LOCAL0-LOCAL7
|
A message generated by an internal process.
|
LPR
|
A message generated by the printing subsystem.
|
MAIL
|
A message generated by a mail system.
|
NEWS
|
A message generated by the network news subsystem.
|
NTP
|
A message generated by the NTP daemon.
|
SYSLOG
|
A message generated by the syslog daemon.
|
USER
|
A message generated by a user-level process.
|
UUCP
|
A message generated by the UUCP subsystem.
|
The following table lists the standard syslog severity levels you can select.
Table 43-3 Syslog Severity Levels
|
|
ALERT
|
A condition that should be corrected immediately.
|
CRIT
|
A critical condition.
|
DEBUG
|
Messages that contain debugging information.
|
EMERG
|
A panic condition broadcast to all users.
|
ERR
|
An error condition.
|
INFO
|
Informational messages.
|
NOTICE
|
Conditions that are not error conditions, but require attention.
|
WARNING
|
Warning messages.
|
Before you start sending syslog alerts, make sure that the syslog server can accept remote messages.
To create a syslog alert:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
.
The Alerts page appears.From the
Create Alert
drop-down menu, select
Create Syslog Alert
.
The Create Syslog Alert Configuration pop-up window appears.
Step 2 In the
Name
field, type the name you want to use to identify the saved response.
Step 3 In the
Host
field, type the hostname or IP address of your syslog server.
Note that the system does
not
warn you if you enter an invalid IPv4 address (such as 192.168.1.456) in this field. Instead, the invalid address is treated as a hostname.
Step 4 In the
Port
field, type the port the server uses for syslog messages.
By default, this value is 514.
Step 5 From the
Facility
list, select a facility.
See the
Available Syslog Facilities
table for a list of the available facilities.
Step 6 From the
Severity
list, select a severity.
See the
Syslog Severity Levels
table for a list of the available severities.
Step 7 In the
Tag
field, type the tag name that you want to appear with the syslog message.
Use only alphanumeric characters in tag names. You
cannot
use spaces or underscores.
As an example, if you wanted all messages sent to the syslog to be preceded with
From
DC
, type
From
DC
in the field.
Step 8 Click
Save
.
The alert response is saved and is automatically enabled.
Modifying an Alert Response
License:
Any
For most types of alerting, if an alert response is enabled and in use, changes to the alert response take effect immediately. However, for alert responses used in access control rules to log connection events, changes do not take effect until you reapply the access control policy.
To edit an alert response:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
.
The Alerts page appears.
Step 2 Next to the alert response you want to edit, click the edit icon (
).
A configuration pop-up window for that alert response appears.
Step 3 Make changes as needed.
Step 4 Click
Save
.
The alert response is saved.
Deleting an Alert Response
License:
Any
You can delete any alert response that is not in use.
To delete an alert response:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
.
The Alerts page appears.
Step 2 Next to the alert response you want to delete, click the delete icon (
).
Step 3 Confirm that you want to delete the alert response.
The alert response is deleted.
Enabling and Disabling Alert Responses
License:
Any
Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations. Note that if an alert is in use when you disable it, it is still considered in use even though it is disabled.
To enable or disable an alert response:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
.
The Alerts page appears.
Step 2 Next to the alert response you want to enable or disable, click the enable/disable slider.
If the alert response was enabled, it is disabled. If it was disabled, it is enabled.
Configuring Impact Flag Alerting
License:
Protection
You can configure the system to alert you whenever an intrusion event with a specific impact flag occurs. Impact flags help you evaluate the impact an intrusion has on your network by correlating intrusion data, network discovery data, and vulnerability information. For more information, see Using Impact Levels to Evaluate Events.
To configure impact flag alerting:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
, then select the
Impact Flag Alerts
tab.
The Impact Flag Alerts page appears.
Step 2 In the Alerts section, select the alert response you want to use for each alert type.
To create a new alert response, select
New
from any drop-down list. For more information, see Working with Alert Responses.
Step 3 In the Impact Configuration section, select the check boxes that correspond to the alerts you want to receive for each impact flag.
Step 4 Click
Save
.
Your impact flag alerting settings are saved.
Configuring Discovery Event Alerting
License:
FireSIGHT
You can configure the system to alert you whenever a specific type of discovery event occurs. For information about the different event types, see Understanding Discovery Event Types and Understanding Host Input Event Types.
Note that to generate an alert based on a discovery event type, you must configure your network discovery policy to log that event type; see Configuring Discovery Event Logging. By default, logging is enabled for all event types.
To configure discovery event alerting:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
, then select the
Discovery Event Alerts
tab.
The Discovery Event Alerts page appears.
Step 2 In the
Alerts
section, select the alert response you want to use for each alert type.
To create a new alert response, select
New
from any drop-down list. For more information, see Working with Alert Responses.
Step 3 In the
Events Configuration
section, select the check boxes that correspond to the alerts you want to receive for each discovery event type.
Step 4 Click
Save
.
Your discovery event alerting settings are saved.
Configuring Advanced Malware Protection Alerting
License:
Malware
Supported Devices:
Series 3 or virtual
Supported Defense Centers:
Any except DC500
You can configure the system to alert you whenever any network-based malware event, including a retrospective event, is generated. You cannot, however, alert on endpoint-based (FireAMP) malware events. For information on malware events, see Working with Malware Events.
To generate alerts based on malware events, you must create a file policy that performs malware cloud lookups, then associate that policy with an access control rule. For more information, see Controlling Traffic Using Intrusion and File Policies.
To configure malware event alerting:
Access:
Admin
Step 1 Select
Policies > Actions > Alerts
, then select the
Advanced Malware Protections Alerts
tab.
The Advanced Malware Protection Alerts page appears.
Step 2 In the
Alerts
section, select the alert response you want to use for each alert type.
To create a new alert response, select
New
from any drop-down list. For more information, see Working with Alert Responses.
Step 3 In the
Event Configuration
section, select the check boxes that correspond to the alerts you want to receive for each malware event type.
Keep in mind that
All network-based malware events
includes
Retrospective Events
.
Step 4 Click
Save
.
Your malware event alerting settings are saved.