Cisco Cisco Firepower Management Center 2000

Admin/Discovery Admin

Build a correlation rule that triggers on an discovery event.

For more information, see 

.

On the Create Rule page, click 

.

The Host Profile Qualification section appears.

Under 

, in the first condition, specify the host whose host profile you want to use 

to constrain your correlation rule.

Because this host profile qualification is part of a correlation rule based on an discovery event, the only 
available category is 

.

Begin specifying the details of the operating system of the host by choosing the 

 

category.

Three subcategories appear: 

, 

, and 

. 

To specify that the host can be running any version of Microsoft Windows, use the same operator for all 
three subcategories: 

.

Finally, specify the values for the subcategories.

Select 

 as the value for 

, 

 as the value for 

, and leave 

 as the value 

for 

.

Note that the categories you can choose from depend on whether you are building correlation rule 
triggers, a host profile qualification, a connection tracker, or a user qualification. Within correlation rule 
triggers, the categories further depend on what kind of event is the basis for your correlation rule. 

In addition, a condition’s available operators depend on the category you choose. Finally, the syntax you 
can use to specify a condition’s value depends on the category and operator. Sometimes you must type 
the value in a text field. Other times, you can pick a value from a drop-down list.