Tuesday, November 25, 2008

Email Alerts based on the Incident Severity

I got asked the question the other day, if it was possible only to receive an email, when Incidents were of the RED Severity.

Now if you think about it, its an option to get an email when an Incident is created, but you cannot be selective if this was RED, AMBER or GREEN.

Now there is a noddy way to achieve this, if you want to go the trouble, and this would be based on duplicating rules...

Consider this RULE below...

If fires based on events received in the Info/UncommonTraffic/Chat and Info/UncommonTraffic/Chat/Proxy groups, but for ANY severity. There is no "Action" defined for this Rule.

If we duplicate the Rule in question, then edit the Severity to be RED Only, then we can apply an Action of email.

If you leave the default rule, to ANY, then you will probably get 2 Incidents Fired, but only 1 email.

So it may be worth changing the default rule, or duplicating again, to set GREEN or YELLOW Severity Events. (You may want to create a second offset, with an OR operation).

You would need to proceed with caution with this method, as the example choosen has only 1 condition to be met. If you select a more complex rule, then you may get in hot water, and render the rule useless!!!

Take care....

9 comments:

Anonymous said...

I still don't understand why there isn't a global setting where you can define different alerts based on the incident severity. Does anyone know if this is on their roadmap? I have brought it up to cisco before with no real response.

Anonymous said...

My problem with e-mails on incidents is that content of them. I find it amusing that Cisco makes this powerful event collaboration box yet getting useful instant alerts is so much work and again the e-mails don't give you much information.

Anonymous said...

I have never understood why there isn't a global setting for this. Does anyone know if this is in their roadmap? I have brought it to their attention and haven't got much of a response.

Anonymous said...

I talked with the lead product manager with MARS from Cisco about this very problem. He said it had never been a request they had received, but understood how useful it would be and are adding it to their roadmap. That was in October so probably won't make it into production until July, going by previous enhancement requests.

Roman said...

Going through the same process... Though I defined a second Rule matching only RED events (i.e. for DoS/FTPServer) it also reacts on green events sending email alerts!
Considering the original post is from 2008 chances seem to be slim for Cisco making any changes to the system... Does anybody have some more information?

(running v6.0.6 on a Mars 110R)

Chris Durkin said...

did you disable thr alert for your original rule?

Roman said...

thanks for your reply! the original rule doesn't fire any action. this is due to too many (green) incidents on that particular rule. My intention was to send only RED incidents to my firewall admins so they can try to track down any errors and such... I.e. there's red and green'FTP Address Bounce Attack'-events. Altough the Alert-Rule should only fire on the red ones (severity = RED), it also fires on green.
Maybe the alert-Rule is to 'big' as I intended it to cover all FW-related events like DoS/All, Penetrate/all etc.?

Roman said...

Think I found out what's wrong...
The alert-action fires when the event is RED, i.e. FTP Address Bounce Attack. But if that event is categorized as false positive, because the FW dropped the connection, the Incident is green...

So what I actually would like to have is a aggregation rule that fires on red incidents. It would be great if it was possible to aggregate several rules in one superordinate rule

Anonymous said...

I tried setting up a global rule to match any Red severity and send an email alert and it looks like i achieved creating a catch all rule that superseded all of the other rules. So now all of the incidents i see are red that match the action rule. I would think alerting on a red alert (or email on yellow and page for red etc) would be absolutely critical for an effective security management device. So if i read this the only way to effectively achieve what I'm looking for is to duplicate ALL rules, modify the severity for the yellows or greens and no alert, then on the duplicates add a red sev one that adds that alert action. Seems kind of a goofy way to do this. Has anyone heard of a fix for this?