Cisco Cisco Firepower Management Center 2000
39-18
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Note that to use a host profile qualification, the host must exist in the network map and the host profile
property you want to use as a qualification must already be included in the host profile. For example, if
you configure a correlation rule to trigger when an intrusion event is generated for a host running
Windows, the rule only triggers if the host is already identified as Windows when the intrusion event is
generated.
property you want to use as a qualification must already be included in the host profile. For example, if
you configure a correlation rule to trigger when an intrusion event is generated for a host running
Windows, the rule only triggers if the host is already identified as Windows when the intrusion event is
generated.
To add a host profile qualification:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Correlation
, then select the
Rule Management
tab.
The Rule Management page appears.
Step 2
Click
Create Rule
.
The Create Rule page appears.
Step 3
On the Create Rule page, click
Add Host Profile Qualification
.
The Host Profile Qualification section appears.
Tip
To remove a host profile qualification, click
Remove Host Profile Qualification
.
Step 4
Build the host profile qualification’s conditions.
You can create a single, simple condition, or you can create more elaborate constructs by combining and
nesting conditions. See
nesting conditions. See
for information on how to
use the web interface to build conditions.
The syntax you can use to build conditions is described in
Step 5
Optionally, continue with the procedures in the following sections:
•
•
•
If you are finished building the correlation rule, continue with step
of the procedure in
to save the rule.
Syntax for Host Profile Qualifications
License:
FireSIGHT
When you build a host profile qualification condition, you must first select the host you want to use to
constrain your correlation rule. The host you can choose depends on the type of event you are using to
trigger the rule, as follows:
constrain your correlation rule. The host you can choose depends on the type of event you are using to
trigger the rule, as follows:
•
If you are using a connection event, select
Responder Host
or
Initiator Host
.
•
If you are using an intrusion event, select
Destination Host
or
Source Host
.
•
If you are using a discovery event, host input event, or user activity, select
Host
.
After you select the host type, you continue building your host profile qualification condition, as
described in the following table.
described in the following table.