tag:blogger.com,1999:blog-34995790.post5270440012173427831..comments2023-06-29T07:31:14.002+00:00Comments on The Unofficial MARS Blog: Email Alerts based on the Incident SeverityChris Durkinhttp://www.blogger.com/profile/08997829845892677696noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-34995790.post-1799448138364330682010-06-28T17:01:11.702+00:002010-06-28T17:01:11.702+00:00I tried setting up a global rule to match any Red ...I tried setting up a global rule to match any Red severity and send an email alert and it looks like i achieved creating a catch all rule that superseded all of the other rules. So now all of the incidents i see are red that match the action rule. I would think alerting on a red alert (or email on yellow and page for red etc) would be absolutely critical for an effective security management Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-8575179661261146512010-02-17T07:58:17.516+00:002010-02-17T07:58:17.516+00:00Think I found out what's wrong...
The alert-ac...Think I found out what's wrong...<br />The alert-action fires when the event is RED, i.e. FTP Address Bounce Attack. But if that event is categorized as false positive, because the FW dropped the connection, the Incident is green...<br /><br />So what I actually would like to have is a aggregation rule that fires on red incidents. It would be great if it was possible to aggregate several Unknownhttps://www.blogger.com/profile/10561011053207961241noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-4244146012467608652010-02-16T15:37:08.868+00:002010-02-16T15:37:08.868+00:00thanks for your reply! the original rule doesn'...thanks for your reply! the original rule doesn't fire any action. this is due to too many (green) incidents on that particular rule. My intention was to send only RED incidents to my firewall admins so they can try to track down any errors and such... I.e. there's red and green'FTP Address Bounce Attack'-events. Altough the Alert-Rule should only fire on the red ones (severity = Unknownhttps://www.blogger.com/profile/10561011053207961241noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-19910717410338095022010-02-16T14:26:19.200+00:002010-02-16T14:26:19.200+00:00did you disable thr alert for your original rule?did you disable thr alert for your original rule?Chris Durkinhttps://www.blogger.com/profile/08997829845892677696noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-66779836389706756092010-02-16T14:23:47.511+00:002010-02-16T14:23:47.511+00:00Going through the same process... Though I defined...Going through the same process... Though I defined a second Rule matching only RED events (i.e. for DoS/FTPServer) it also reacts on green events sending email alerts!<br />Considering the original post is from 2008 chances seem to be slim for Cisco making any changes to the system... Does anybody have some more information?<br /><br />(running v6.0.6 on a Mars 110R)Unknownhttps://www.blogger.com/profile/10561011053207961241noreply@blogger.comtag:blogger.com,1999:blog-34995790.post-78683295682916790092008-12-04T06:31:00.000+00:002008-12-04T06:31:00.000+00:00I talked with the lead product manager with MARS f...I talked with the lead product manager with MARS from Cisco about this very problem. He said it had never been a request they had received, but understood how useful it would be and are adding it to their roadmap. That was in October so probably won't make it into production until July, going by previous enhancement requests.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-23045163699648248892008-11-25T23:35:00.000+00:002008-11-25T23:35:00.000+00:00I have never understood why there isn't a global s...I have never understood why there isn't a global setting for this. Does anyone know if this is in their roadmap? I have brought it to their attention and haven't got much of a response.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-63058286919332238412008-11-25T20:47:00.000+00:002008-11-25T20:47:00.000+00:00My problem with e-mails on incidents is that conte...My problem with e-mails on incidents is that content of them. I find it amusing that Cisco makes this powerful event collaboration box yet getting useful instant alerts is so much work and again the e-mails don't give you much information.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-34995790.post-22249677545003068562008-11-25T20:13:00.000+00:002008-11-25T20:13:00.000+00:00I still don't understand why there isn't a global ...I still don't understand why there isn't a global setting where you can define different alerts based on the incident severity. Does anyone know if this is on their roadmap? I have brought it up to cisco before with no real response.Anonymousnoreply@blogger.com