Cisco Cisco Firepower Management Center 4000
39-6
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Step 1
Select the type of event on which you want to base your rule.
When you build a correlation rule, you must first select the type of event on which you want to base your
rule. You have a few options under
rule. You have a few options under
Select the type of event for this rule
:
•
Select
an intrusion event occurs
to trigger your rule when a specific intrusion event occurs.
•
Select
a Malware event occurs
to trigger the rule when a specific malware event occurs.
Note that because neither Series 2 devices nor the DC500 Defense Center support network-based
malware protection, these appliances do not support triggering a correlation rule on a malware event
based on network-based malware data or retrospective network-based malware data.
malware protection, these appliances do not support triggering a correlation rule on a malware event
based on network-based malware data or retrospective network-based malware data.
•
Select
a discovery event occurs
to trigger the rule when a specific discovery event occurs. When
triggering a correlation rule on a discovery event, you must also choose the type of event you want
to use. You can choose from a subset of the discovery events described in
to use. You can choose from a subset of the discovery events described in
; you cannot, for example, trigger a correlation rule on a hops change. You
can, however, choose
there is any type of event
to trigger the rule when any kind of discovery event
occurs.
•
Select
user activity is detected
to trigger the rule when a new user is detected or a user logs in to a host.
•
Select
a host input event occurs
to trigger the rule when a specific host input event occurs. When
triggering a correlation rule on a host input event, you must also choose the type of event you want
to use. You can choose from a subset of the events described in
to use. You can choose from a subset of the events described in
•
Select
a connection event occurs
to trigger the rule when connection data meets specific criteria. When
triggering a correlation rule on a connection event, you must also choose whether you want to use
connection events that represent the beginning or the ending of the connection, or either.
connection events that represent the beginning or the ending of the connection, or either.
Note that because neither Series 2 devices nor the DC500 Defense Center support URL filtering by
category or reputation, these appliances do not support triggering a correlation rule on a connection
event with URL data, or building a connection tracker using URL data. Series 2 devices and DC500
Defense Centers also do not support Security Intelligence, and thus do not support triggering a
correlation rule on an event’s Security Intelligence category.
category or reputation, these appliances do not support triggering a correlation rule on a connection
event with URL data, or building a connection tracker using URL data. Series 2 devices and DC500
Defense Centers also do not support Security Intelligence, and thus do not support triggering a
correlation rule on an event’s Security Intelligence category.
•
Select
a traffic profile changes
to trigger the correlation rule when network traffic deviates from your
normal network traffic pattern as characterized in an existing traffic profile.
Step 2
Specify the rule’s conditions.
The syntax you can use within correlation rule trigger criteria conditions varies depending on the base
event you chose in step
event you chose in step
, but the mechanics are the same. For more information, see
.
The syntax you can use to build conditions is described in the following sections:
•
•
•
•
•
•
•