Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

event summarization

I've noticed summary alerts without a preceding non-summarized alert, which I thought was impossible.

Are signatures using a summary mode of "summarize" always supposed to generate 2 alerts, the initial alert that starts the counter and then a summarized alert?

The only explanation I can think of is the event filters. Is it possible that an event filter [especially one with "stop on match" disabled] would prevent the initial alert but not the summarized alert?

1 REPLY
Silver

Re: event summarization

That looks strange to me too. Summary alarms gets triggered at the end of the throttle-interval. If summarization is configured for a signature, then the first alarm is sent when it occurs and all other alarms are blocked and only a summary alram is sent at the end of the throttle interval.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swappa.htm#wp787013

132
Views
0
Helpful
1
Replies
CreatePlease to create content