Versions Compared

Old Version 1

changes.mady.by.user Panna .

Saved on

compared with

New Version Current

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. From the Grid/System tab, select the Ecosystem tab -> Notification tab, and then click the Add icon.
    or
    From the Grid/System tab, select the Ecosystem tab, and click Add Notification Rule in the Toolbar.
  2. In the Add Notification wizard, complete the following.
    • Name: Enter the name of the notification rule.
    • Target: Click Select Endpoint to select the endpoint type. If there are multiple endpoints, the All Endpoints Selector dialog box is displayed, from which you can select an endpoint name, such as Cisco ISE
    • Target Type: Displays the target type. You cannot change this.
    • Comment: Enter useful information about the notification rule.
    • Disable: Select this option to disable the notification rule.
  3. Click Next and complete the following to configure notification rules for the selected endpoint:
    • Event: Depending on the licenses you have installed in the Grid, you can select the event types you want to apply to the notification rules. The outbound member collects data for the selected events based on your configuration. Note that if there is a significant amount of data or if the network bandwidth is not sufficient, the outbound member might drop some of the events. In this case, you can access the syslog to view the messages related to the dropped events. In addition to basic information (such as timestamp, member IP, network, and others), data collected for some event type might include enriched data, such as discovered data, parent network information, and associated extensible attributes.
      From the drop-down list, select the event types that you want to monitor for the notification rules:
      • DNS RPZ: Select this to collect data for RPZ events. The DNS RPZ event type is available only if you have installed the RPZ license in the Grid. When you select this event type, you can enable event deduplication in the next step so that the appliance can avoid sending excessive events to the endpoint based on your configuration.
      • Object Change DNS Record: Select this to collect data for DNS records. That is, if a DNS record is added, updated, or deleted, the notification rule is triggered and the event notification is sent to the target endpoint. Dynamic records are not supported.
      • Object Change DNS Zone: Select this to collect data for DNS zones. That is, if a zone is created, updated, or deleted, the notification rule is triggered and the event notification is sent to the target endpoint.
      • DNS Tunneling: Select this to collect data for DNS tunneling events.
      • DHCP Leases: Select this to collect data for DHCP leases. Since the same IP addresses might be used by multiple systems, the appliance matches both the IP and the MAC address or the DUID to ensure that the discovered data is most likely to be correct.
      • DXL Events: Select this to collect data from the topic to which you subscribed when configuring the DXL endpoint. For more information, see Configuring DXL Endpoints.
      • IPAM: Select this to send IPAM data. No notification rule is required for this event type. For more information, see Publishing Data.
      • Security ADP: Select this to collect data for threat protection events. You can specify the maximum domain level for query FQDN for outbound threat protection events. For more information, see Enabling Query FQDN for Outbound Notifications below. When you create outbound notifications for security ADP event types, the server collects event statistics every 15 seconds to avoid excessive threat protection events. Note that you can execute test rules in JSON format for Security ADP event types. For more information, see Deduplicating Events below.
      • Object Change DHCP Fixed Address IPv4, Object Change DHCP Fixed Address IPv6, Object Change Network IPv4, Object Change Network IPv6, Object Change Range IPv4, Object Change Range IPv6, Object Change Host Address IPv4, Object Change Host Address IPv6, Object Change Discovery Data: Select any of these event types to collect data for database changes in fixed addresses, DHCP ranges, networks, DNS host addresses, and discovery data. If you select Object Change Discovery Data, when unmanaged IP addresses or devices are created, updated, or deleted, the notification rule is triggered and the event notification is sent to the target endpoint.

      • Schedule: Select this to schedule the notification rule configuration. You can set up schedules on an hourly, daily, weekly, or on a monthly basis. You can also choose to schedule the event to occur only once. You cannot specify other event types when you select Schedule from the drop-down list. Note that you can execute test rules in JSON format when you schedule the notification rule configuration. You cannot choose an action rule when you schedule the notification rule configuration.

        • Priority: This field is displayed only if you select Schedule from the drop-down list. Select a priority value, Normal or High, for scheduled events from the drop-down list. When you select Normal, the event is added to the queue right after the existing events in the list and is executed after all events that are already scheduled. Select High if you want the event type to be executed soon after the execution of the current event in the list of events that are scheduled. For more information, see Scheduling Tasks.
      • Action: This field is displayed only if you have selected Cisco ISE as the endpoint (the Target field). Otherwise, this field is hidden.

        In the Match the following rule section, select the filters, operators, and values from the drop-down lists for the selected event type. You can use the + icon to construct nested expressions for the rule. The filters change depending on what you selected as the event type. Some of the filters are:

      • DNS RPZ: Action Policy, BloxOne Infoblox Threat Defense Cloud Hit Class, BloxOne Infoblox Threat Defense Cloud Hit Property, BloxOne Infoblox Threat Defense Cloud Hit Type, Query Name, RPZ Name, RPZ Type, Rule Name, Source IP, and Threat Origin.
      • DNS Tunneling: Source IP.
      • DHCP Leases: DHCP Fingerprint and Lease State.
      • DXL Events: DXL topic that you entered in the Topics field when configuring the DXL endpoint. For more information, see Configuring DXL Endpoints.
      • Record Name: Name of the DNS record. For example, AA, CNAME, SRV, and so on.
      • DNS Records: Supported records are A, AAAA, AAA, CNAME, SRV, ALIAS, NS, PTR, MX, TXT, TLSA, CAA, SOA, DNAME, NAPTR, and UNKNOWN.
      • Zone Type: Supported zones are Authoritative, Forward, Stub, Delegation, and RPZ.
      • User Name: Name entered in the WAPI Integration Username field. For more information, see Configuring Outbound Endpoints.
      • IPAM: In the Notify the target section, there are predefined data types in the Available table you can publish. Click Override and use the arrows to move data types from the Available table to the Selected table and vice versa. The appliance sends information for all data types that are added to the Selected table. If you do not override, the publication settings are inherited from those configured while adding the Cisco ISE server. Note that you can configure only one IPAM rule per Cisco ISE server. For more information, see Publishing Data.
      • Security ADP: Rule Message, Hits Count, Member IP, Member Name, Query FQDN, Rule Action, Rule Category, Rule Severity, SID, and Source IP. When you select Member Name, the appliance displays all the ADP members that are available.
      • Object Change Fixed Address IPv4: Disable, IPv4 Address, MAC, Name, Network, Network View, Username, and User Group.
      • Object Change Fixed Address IPv6: Address Type, Disable, DUID, IPv6 Address, IPv6 Prefix, IPv6 Prefix Bits, Name, Network, Network View, Username, and User Group.
      • Object Change Network IPv4: Disable, Network, and Network View.
      • Object Change Network IPv6: Disable, Network, Network View, Username, and User Group.
      • Object Change Range IPv4: Disable, Network, Network View, Server Association Type, Username, and User Group.
      • Object Change Range IPv6: Address Type, Disable, Network, Network View, Server Association Type, Username, and User Group.
      • Object Change Host Address IPv4: Host, IPv4 Address, MAC, Network, Network View Association Type, Username, and User Group.
      • Object Change Host Address IPv6: Address Type, DUID, Host, IPv6 Address, IPv6 Prefix, IPv6 Prefix Bits, Network View, Username, and User Group.
      • Object Change Discovery Data: Discoverer, IP Address, Is IPv4, Operation Type, Unmanaged, Username, and User Group.
      • Object Change DNS Record: Auto Created Records, DNS View, Network View, Operation Type, Record Name, Record Type, User Group, Username, and Zone Name.
      • Object Change DNS Zone: DNS View, Network View, Operation Type, User Group, Username, Zone Name, and Zone Type.

...