Cisco Cisco Firepower Management Center 2000
39-20
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Note that you can often use event data when constructing a host profile qualification. For example,
assume your correlation rule triggers when the system detects the use of Internet Explorer on one of your
monitored hosts. Further assume that when you detect this use, you want to generate an event if the
version of the browser is not the latest (for this example, assume the latest version is 9.0).
assume your correlation rule triggers when the system detects the use of Internet Explorer on one of your
monitored hosts. Further assume that when you detect this use, you want to generate an event if the
version of the browser is not the latest (for this example, assume the latest version is 9.0).
You could add a host profile qualification to this correlation rule so that the rule triggers only if the
Client
is the
Event Client
(that is, Internet Explorer), but the
Client Version
is not
9.0
.
Constraining Correlation Rules Using Connection Data Over Time
License:
FireSIGHT
A connection tracker constrains a correlation rule so that after the rule’s initial criteria are met (including
host profile and user qualifications), the system begins tracking certain connections. The Defense Center
generates a correlation event for the rule if the tracked connections meet additional criteria gathered over
a time period that you specify.
host profile and user qualifications), the system begins tracking certain connections. The Defense Center
generates a correlation event for the rule if the tracked connections meet additional criteria gathered over
a time period that you specify.
If you are using a connection, intrusion, discovery, user activity, or host input event to trigger your
correlation rule, you can add a connection tracker to the rule. You cannot add a connection tracker to a
rule that triggers on a malware event or traffic profile change.
correlation rule, you can add a connection tracker to the rule. You cannot add a connection tracker to a
rule that triggers on a malware event or traffic profile change.
Client Category
Select a category.
Web Application
Select a web application.
Web Application Category
Select a category.
MAC Address > MAC
Address
Address
Type all or part of the MAC address of the host.
For example, if you know that devices from a certain hardware have MAC addresses that
begin with 0A:12:34, you could choose
begin with 0A:12:34, you could choose
begins with
as the operator, then type
0A:12:34
as the
value.
MAC Address > MAC Type
Select whether the MAC type is
ARP/DHCP Detected
.
That is, select whether the system positively identified the MAC address as belonging to the
host (
host (
is ARP/DHCP Detected
), whether the system is seeing many hosts with that MAC address
because, for example, there is a router between the managed device and the host (
is not
ARP/DHCP Detected
), or whether the MAC type is irrelevant (
is any
).
MAC Vendor >
MAC Vendor
Type all or part of the name of the MAC hardware vendor of the host.
any available host attribute,
including the default
compliance white list host
attribute
including the default
compliance white list host
attribute
Specify the appropriate value, which depends on the type of host attribute you select:
•
If the host attribute type is
Integer
, enter an integer value in the range defined for the
attribute.
•
If the host attribute type is
Text
, enter a text value.
•
If the host attribute type is
List
, select a valid list string.
•
If the host attribute type is
URL
, enter a URL value.
For more information on host attributes, see
Table 39-11
Syntax for Host Profile Qualifications (continued)
If you specify...
Select an operator, then...