Cisco Cisco Firepower Management Center 4000

Page of 1844
 
39-6
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules 
  Creating Rules for Correlation Policies
Step 1
Select the type of event on which you want to base your rule.
When you build a correlation rule, you must first select the type of event on which you want to base your 
rule. You have a few options under 
Select the type of event for this rule
:
  •
Select 
an intrusion event occurs
 to trigger your rule when a specific intrusion event occurs. 
  •
Select 
a Malware event occurs
 to trigger the rule when a specific malware event occurs. 
Note that because neither Series 2 devices nor the DC500 Defense Center support network-based 
malware protection, these appliances do not support triggering a correlation rule on a malware event 
based on network-based malware data or retrospective network-based malware data.
  •
Select 
a discovery event occurs
 to trigger the rule when a specific discovery event occurs. When 
triggering a correlation rule on a discovery event, you must also choose the type of event you want 
to use. You can choose from a subset of the discovery events described in 
; you cannot, for example, trigger a correlation rule on a hops change. You 
can, however, choose 
there is any type of event
 to trigger the rule when any kind of discovery event 
occurs.
  •
Select 
user activity is detected 
to trigger the rule when a new user is detected or a user logs in to a host.
  •
Select 
a host input event occurs
 to trigger the rule when a specific host input event occurs. When 
triggering a correlation rule on a host input event, you must also choose the type of event you want 
to use. You can choose from a subset of the events described in 
  •
Select 
a connection event occurs
 to trigger the rule when connection data meets specific criteria. When 
triggering a correlation rule on a connection event, you must also choose whether you want to use 
connection events that represent the beginning or the ending of the connection, or either. 
Note that because neither Series 2 devices nor the DC500 Defense Center support URL filtering by 
category or reputation, these appliances do not support triggering a correlation rule on a connection 
event with URL data, or building a connection tracker using URL data. Series 2 devices and DC500 
Defense Centers also do not support Security Intelligence, and thus do not support triggering a 
correlation rule on an event’s Security Intelligence category.
  •
Select 
a traffic profile changes
 to trigger the correlation rule when network traffic deviates from your 
normal network traffic pattern as characterized in an existing traffic profile.
Step 2
Specify the rule’s conditions.
The syntax you can use within correlation rule trigger criteria conditions varies depending on the base 
event you chose in step 
, but the mechanics are the same. For more information, see 
.
The syntax you can use to build conditions is described in the following sections:
  •
  •
  •
  •
  •
  •
  •