Cisco Cisco Firepower Management Center 2000
39-30
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Step 4
At 20 seconds, the system has detected additional data matching the signature being transmitted from
both Host 1 and Host 2:
both Host 1 and Host 2:
•
1MB from Host 2 to Host A, at the 10-second marker (4MB total)
•
2MB from Host 1 to Host C, at the 15-second marker (6MB total)
•
1MB from Host 2 to Host B, at the 20-second marker (7MB total)
Although Host 1 and Host 2 have now transmitted a combined 7MB of BitTorrent data, the rule does not
trigger because the total number of bytes transmitted must be more than 7MB (
trigger because the total number of bytes transmitted must be more than 7MB (
Responder Bytes are greater
than 7340032
).
At this point, if the system were to detect no additional BitTorrent transfers for the remaining 280
seconds in the tracker’s timeout period, the tracker would expire and the Defense Center would not
generate a correlation event.
seconds in the tracker’s timeout period, the tracker would expire and the Defense Center would not
generate a correlation event.
Step 5
However, at 30 seconds, the system detects another BitTorrent transfer:
•
2MB from Host 1 to Host D at the 30-second marker (9MB total)
The rule conditions are met.
Step 6
The Defense Center generates a correlation event.
The Defense Center also stops tracking connections for this connection tracker instance, even though the
5-minute period has not expired. If the system detects a new connection using the BitTorrent TCP
application protocol at this point, it will create a new connection tracker.
5-minute period has not expired. If the system detects a new connection using the BitTorrent TCP
application protocol at this point, it will create a new connection tracker.
Note that the Defense Center generates the correlation event after Host 1 transmits the entire 2MB to
Host D, because it does not tally connection data until the session terminates.
Host D, because it does not tally connection data until the session terminates.
Adding a User Qualification
License:
FireSIGHT
If you are using a connection, intrusion, discovery, or host input event to trigger your correlation rule,
you can constrain the rule based on the identity of a user involved in the event. This constraint is called
a user qualification. You cannot add a user qualification to a correlation rule that triggers on a traffic
profile change or on the detection of user activity.
you can constrain the rule based on the identity of a user involved in the event. This constraint is called
a user qualification. You cannot add a user qualification to a correlation rule that triggers on a traffic
profile change or on the detection of user activity.
For example, you could constrain a correlation rule so that it triggers only when the identity of the source
or destination user is one from the sales department.
or destination user is one from the sales department.
To add a user identity qualification:
Access:
Admin/Discovery Admin
Step 1
On the Create Rule page, click
Add User Qualification
.
The User Identity Qualification section appears.
Tip
To remove a user qualification, click
Remove User Qualification
.
Step 2
Build the user qualification’s conditions.