Cisco Cisco Firepower Management Center 4000

You can nest rules that share the base event type you specified in step 

. For example, if you create a 

new rule based on the detection of an open TCP port, the trigger criteria for the new rule could include 

 and 

.

Optionally, continue with the procedures in the following sections:

If you are finished building the correlation rule, continue with step 

 of the procedure in 

 to save the rule.

Protection

The following table describes how to build a correlation rule condition when you choose an intrusion 
event as the base event.

Access Control Policy

Select one or more access control policies that use the intrusion policy that generated the 
intrusion event.

Access Control Rule Name

Type all or part of the name of the access control rule that uses the intrusion policy that 
generated the intrusion event.

Application Protocol

Select one or more application protocols associated with the intrusion event.

Application Protocol Category

Select one or more category of application protocol.

Classification

Select one or more classifications.

Client

Select one or more clients associated with the intrusion event.

Client Category

Select one or more category of client.

Destination IP, Source IP, or

 

Source/Destination IP

Specify a single IP address, an address block, or a comma-separated list comprised of any 
of these. For information on using IP address notation and prefix lengths in the FireSIGHT 
System, see 

Note that you cannot enter a comma-separated list if you select 

 or 

 as the operator 

for the condition.

Destination Port/ICMP Code or 
Source Port/ICMP Type

Type the port number or ICMP type for source traffic or the port number or ICMP type for 
destination traffic.

Device

Select one or more devices that may have generated the event.

Egress Interface or

 

Ingress Interface

Select one or more interfaces.

Egress Security Zone or 
Ingress Security Zone

Select one or more security zones.