Cisco Cisco Firepower Management Center 4000
39-3
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Supported Defense Centers:
feature dependent
Before you create a correlation policy, you should create correlation rules or compliance white lists (or
both) to populate it.
both) to populate it.
Note
This section describes how to create correlation rules. For information on creating compliance white
lists, see
lists, see
.
A correlation rule triggers (and generates a correlation event) when your network traffic meets criteria
that you specify. When you create correlation rules, you can use simple conditions or you can create
more elaborate constructs by combining and nesting conditions and constraints.
that you specify. When you create correlation rules, you can use simple conditions or you can create
more elaborate constructs by combining and nesting conditions and constraints.
You can further add to correlation rules in the following ways:
•
Add a host profile qualification to constrain the rule using information from the host profile of a host
involved in the triggering event.
involved in the triggering event.
•
Add a connection tracker to a correlation rule so that after the rule’s initial criteria are met, the
system begins tracking certain connections. Then, a correlation event is generated only if the tracked
connections meet additional criteria.
system begins tracking certain connections. Then, a correlation event is generated only if the tracked
connections meet additional criteria.
•
Add a user qualification to a correlation rule to track certain users or groups of users. For example,
you could constrain a correlation rule so that it triggers only when the identity of the source or
destination user is a certain user or, for example, one from the marketing department.
you could constrain a correlation rule so that it triggers only when the identity of the source or
destination user is a certain user or, for example, one from the marketing department.
•
Add snooze periods and inactive periods. When a correlation rule triggers once, a snooze period
causes that rule not to trigger again for a specified interval, even if the rule is violated again during
the interval. After the snooze period has elapsed, the rule can trigger again (and start a new snooze
period). During inactive periods, the correlation rule does not trigger.
causes that rule not to trigger again for a specified interval, even if the rule is violated again during
the interval. After the snooze period has elapsed, the rule can trigger again (and start a new snooze
period). During inactive periods, the correlation rule does not trigger.
Caution
Evaluating complex correlation rules that trigger on frequently occurring events can degrade Defense
Center performance. For example, a multi-condition rule that the Defense Center must evaluate against
every connection logged by the system can cause resource overload.
Center performance. For example, a multi-condition rule that the Defense Center must evaluate against
every connection logged by the system can cause resource overload.
The following table explains the licenses you must have to build effective correlation rules. If you do not
have the appropriate licenses, correlation rules that use an unlicensed aspect of the FireSIGHT System
do not trigger. For more information on specific licenses, see
have the appropriate licenses, correlation rules that use an unlicensed aspect of the FireSIGHT System
do not trigger. For more information on specific licenses, see
.
Table 39-1
License Requirements for Building Correlation Rules
To...
You need this license...
trigger a correlation rule on an intrusion event
Protection
trigger a correlation rule on a discovery event, host input event, or user
activity, or to add a host profile or user qualification to a correlation rule
activity, or to add a host profile or user qualification to a correlation rule
FireSIGHT
trigger a correlation rule on a connection event or endpoint-based
malware event, or to add a connection tracker to a rule
malware event, or to add a connection tracker to a rule
Any