Run this command on the CLI:
$> acat -e "event AUDIT_R_ALERT and alert_actions email"
You'll see audit events that similar to this:
Feb 17 11:36:55 2016 CST f_auditbotd a_server t_alert p_major
pid: 3110 ruid: 0 euid: 0 pgid: 3110 logid: 0 cmd: 'auditbotd'
domain: Abot edomain: Abot hostname: sw1.fwdomain.com event: alert triggered
alert_name: Type Enforcement alert_type: Attack num_events: 1
start_time: Wed Feb 17 11:36:55 2016 end_time: Wed Feb 17 11:36:55 2016
sacap_filter: (event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM)
"Alerts" on the firewall are triggered by audit events; the 'sacap_filter' (Sidewinder audit capture filter) you see there is the audit filter that the auditbot daemon (auditbotd) watches the audit stream for and then triggers an alert_action if an audit event happens which matches that filter.
These alerts are configured in two places in the GUI under Monitor and then "Attack Responses" at v8 (called "IPS Attack Responses" at version 7) and "System Responses" (both versions). You are matching something from one of those two places. In my test I matched an Attack Response named "Type Enforcement" (you can see after the "alert_name" there is a field called "alert_type" and mine says "Attack;" the other type is "System.")
I've disabled the Attack Response "Type Enforcement" However here is my issue. If the event being generated is in fact from Type Enforcement.. now i won't see whenever somebody tries to make a change to the firewall via CLI and doesn't have permissions. As that type of event is also a Type Enforcement. So is there any way to disable specific "Type Enforcement events" and leave the attack type as enabled?
I used the 'Type Enforement' Attack Response only as an example. You need to run the commands I gave you to determine which Response is triggering the email on your system.
Running the above command does not show me any events at the time these emails are being generated. The email is generated every hour. So i don't believe this is an Attack Response / System Response. I believe it to be something else.
if i run mail -f username
I am able to see the details of the message but the smtp wasn't setup yet so all the emails were saying host unknown. The emails go back to 2013. So I'm attempting to clean out the mailbox and see what the new one looks like...
I figured it out. Under Maintenance - Updates there is the A/V signatures. That would be the email that is generated every hour. I'll disable email notification on that.
Oh, yes! I forgot about the other places you can input an email address, namely for any third-party updates on the firewall (like A/V updates).
At version 7 you can configure an email address for A/V updates under Policy -> Application Defenses -> Virus Scanning (the 'Enable Email Notification' box). At version 8 this is set under Maintenance -> Updates -> click 'A/V updates' at the top (it is selected by default). Remove the email address you have specified there.