Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1590
Configuring Correlation Policies and Rules
Managing Correlation Policies
Chapter 36
Managing Correlation Policies
L
ICENSE
: Any
You manage correlation policies on the Policy Management page. You can create,
modify, sort, activate, deactivate, and delete policies.
The slider next to the policy indicates whether the group is active. If you want the
policy to generate correlation events and white list events, you must activate it.
You can sort policies by state (active versus inactive) or alphabetically by name
using the Sort by drop-down list.
If an active correlation policy contains a compliance white list, the following
If an active correlation policy contains a compliance white list, the following
actions do not delete the host attribute associated with the white list, nor do they
change that host attribute’s values:
•
deactivating the policy
•
modifying the policy to remove the white list
•
deleting the policy
That is, hosts that were compliant when you performed the action still appear as
compliant on the host attributes network map, and so on. To delete the host
attribute, you must delete its corresponding white list.
To update the white list compliance of the hosts on your network, you must
To update the white list compliance of the hosts on your network, you must
either reactivate the correlation policy (if you deactivated it) or add the white list to
another active correlation policy (if you deleted the white list from a correlation
policy or deleted the policy itself). Note that the reevaluation of the white list that
occurs when you do this does not generate white list events and therefore does
not trigger any responses you associated with the white list. For more information
on compliance white lists, see
For more information on managing correlation policies, see:
•
•
•
For information on creating new policies, see