About External Alerting for Intrusion Events
External intrusion event notification can help with critical-system monitoring:
-
SNMP—Configured per intrusion policy and sent from managed devices. You can enable SNMP alerting per intrusion rule.
-
Syslog—Configured per intrusion policy and sent from managed devices. When you enable syslog alerting in an intrusion policy, you turn it on for every rule in the policy.
-
Email—Configured across all intrusion policies and sent from the Firepower Management Center. You can enable email alerts per intrusion rule, as well as limit their length and frequency.
Keep in mind that if you configured intrusion event suppression or thresholding, the system may not generate intrusion events (and thus may not send alerts) every time a rule triggers.
In a multidomain deployment, you can configure external alerting in any domain. In ancestor domains, the system generates notifications for intrusion events in descendant domains.
Note |
The Firepower Management Center also uses SNMP, syslog, and email alert responses to send different types of external alerts; see Firepower Management Center Alert Responses. The system does not use alert responses to send alerts based on individual intrusion events. |