Cisco Cisco Firepower Management Center 4000
39-9
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Syntax for Malware Events
License:
Any or Malware
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The syntax for correlation rule conditions based on malware events depends on whether the event is
reported by an endpoint-based malware agent, detected by a managed device, or detected by a managed
device and retrospectively identified as malware.
reported by an endpoint-based malware agent, detected by a managed device, or detected by a managed
device and retrospectively identified as malware.
Note that because neither Series 2 devices nor the DC500 Defense Center support network-based
malware protection, these appliances do not support triggering a correlation rule on a malware event
based on network-based malware data or retrospective network-based malware data.
malware protection, these appliances do not support triggering a correlation rule on a malware event
based on network-based malware data or retrospective network-based malware data.
The following table describes how to build a correlation rule condition when you choose a malware event
as the base event.
as the base event.
Username
Type the username of the user logged into the source host in the intrusion event.
VLAN ID
Type the innermost VLAN ID associated with the packet that triggered the intrusion event
Web Application
Select one or more web applications associated with the intrusion event.
Web Application Category
Select one or more category of web application.
Table 39-2
Syntax for Intrusion Events (continued)
If you specify...
Select an operator, then...
Table 39-3
Syntax for Malware Events
If you specify...
Select an operator, then...
Application Protocol
Select one or more application protocols associated with the malware event.
Application Protocol
Category
Category
Select one or more category of application protocol.
Client
Select one or more clients associated with the malware event.
Client Category
Select one or more category of client.
Destination IP, Host IP, or
Source IP
Source IP
Specify a single IP address or address block. For information on using IP address notation in the
FireSIGHT System, see
FireSIGHT System, see
Destination Port/ICMP
Code
Code
Type the port number or ICMP code for destination traffic.
Disposition
Select either or both
Malware
or
Custom Detection
.
Event Type
Select one or more endpoint-based event types associated with the malware event. For more
information, see
information, see
File Name
Type the name of the file.
File Type
Select the type of file, for example,
PDF
or
MSEXE.
File Type Category
Select one or more file type categories, for example,
Office Documents
or
Executables
.
IOC Tag
Select whether an IOC tag
is
or
is not
set as a result of the malware event.
SHA-256
Type or paste the SHA-256 hash value of the file.
Source Port/ICMP Type
Type the port number or ICMP type for source traffic.