Configuring Notifications with Cisco AMP

Uncategorized 3 Minutes

So I am often asked this question, so I figured I would blog it & then be able to just send a link to the blog to the next person(s) who ask this question. The magic question I’m referring to is: “how do I configure an email notification for events in AMP“.

I guess I can see why this question is so common, as the method for which one would accomplish this task is a little different than other products, but once you use it I think you’ll find it to be very easy.

Instead of forcing an admin to configure alerts on a per-event basis, like many products out there will do, AMP makes things a little bit easier on you. AMP has you create a filter of the events you want to alert on, and then you “subscribe” to that filter. This way you can have multiple events in a single filter, if you choose to. You can also configure your filter to only apply to certain device groups, and therefore make the email alerts even more relevant to you.

In addition, the filters and subscriptions may be applied per administrative user. Meaning if Bob & Sally are both AMP admins, they can each have their own set of filters that they subscribe to.

Configuring the notification

Starting off in your AMP dashboard (https://console.amp.cisco.com) you might want to click on the compromised event in the bottom of the dashboard or on the events tab (as pointed out in Figure 1).

Figure 1 - Dashboard
Figure 1 – AMP console dashboard

The next step in your evolution to create these notifications is to create a filter in the events window. This is where some things change from the normal paradigm you may be used to.

Here you create filters of the events, and it is the filters that you are actually subscribing to, not the individual events. In many ways, this is much easier than the traditional methods where an interested party subscribes to each and every event individually. In this model, you are able to subscribing to a grouping of events that match your specific filter/query.

As you see in Figure 2, the UI can be a bit confusing for those who are new to it. You start by creating the filter, and in the lower right-hand side of the filter – it provides the ability to click the “Not Subscribed” button & subscribe to the filter.

Figure 2 - Create Filter in Events
Figure 2 – Creating an event filter

When you subscribe to the filter, you are provided with the choices shown in Figure 3. You can be immediately notified with an email that contains all the events that occurred within the filter; or notified immediately with a single email for each event in the filter. Instead of immediate notification, you can have a periodic email sent out hourly, daily, weekly or monthly.

Figure 3 - Configuring Notiifcation for Filter
Figure 3 – Subscription options

You must save the filter, which will prompt you to provide a name for the saved filter, as seen in Figure 4.

Figure 4 - Name the new Filter
Figure 4 – Saving and naming the filter

The notifications are created on a per-user basis, and they will be sent to the notification email address configured within the AMP administrative users’ account, as seen in Figure 5. If an entire team or distribution list should receive the notifications, simply change the Notification Email in the user account to be that of the distribution list. You will also see the list of subscriptions is displayed at the bottom of the user account page.

Figure 5 - Account Settings -Subscriptions and Notification Email
Figure 5 – Notification email setting of an AMP login account

If you read this blog entry, chances are that you asked me or a member of my team how to create notifications for events in the AMP console, and I hope this helped you.

-Aaron

Published by Loxx

Aaron Woland, CCIE No. 20113, is a Principal Engineer in Cisco’s Advanced Threat Security group and works with Cisco’s Largest Customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security and futures. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards, and standards body working groups. Prior to joining Cisco, Aaron spent 12 years as a Consultant and Technical Trainer. Aaron is the author of: both editions of the Cisco ISE for BYOD and Secure Unified Access book; the All-in-one Cisco ASA Firepower Services, NGIPS and AMP book; the CCNP Security SISAS 300-208 Official Cert Guide; the CCNA Security 210-260 Complete Video Course; and many published white papers and design guides. Aaron is one of only five inaugural members of the Hall of Fame Elite for Distinguished Speakers at Cisco Live, and is a security columnist for Network World where he blogs on all things related to Security. His other certifications include: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP and many other industry certifications. You can follow Aaron on Twitter: @aaronwoland

Published

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.