- Whenever an Agent Kit is installed, I get an email.
How I tried accomplishing this:
I built an Agent Kit that puts the Host into a default Group all by itself. This is just a temporary group - I then move the Host into its proper group. I created a module<->policy and added one network access control rule. This rule will trigger an event every time any file in the CSAagent\bin directory connects back to the IP address of my CSA server. Then, I created an EventSet that references this module, and an Alert that uses the EventSet.
I changed the rule so it would trigger on All Applications, thinking maybe the CSA Agent used a file located elsewhere. Still didn't work as expected, but I was able to trigger it by using Internet Explorer and telnet to that IP.
Only thing I can think of is that the CSA Agent may have builtin exemptions so no matter what the rule, it will never trigger an event based on its own activity. Is this correct?
Does anyone else have any ideas how I can work out a rule so new agent installs will send me an email? My next test was to create a rule that triggers on the NT Event Log ID for a bootup.
Hmm... I'd have to play around with that one but right off the top of my head I thought of this:
The agent kit you created has a specific name, like AGENT KIT.exe or something.
Create an App Class and identify the AGENT KIT.exe.
Then create a rule that specifically allows that file to run on a client and have it logged.
Then in your alert identify Application Control, ALLOW action and identify the group, etc.
Then make sure the agent kit you are sending to these clients is the most updated with all of the above built in, otherwise the agent kit will fire off and not ever by logged because the rule is not yet on the client.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :