Cisco Cisco Firepower Management Center 4000

Page of 1844
 
39-10
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules 
  Creating Rules for Correlation Policies
Syntax for Discovery Events
License: 
FireSIGHT
If you base your correlation rule on a discovery event, you must first choose the type of event you want 
to use from a drop-down list. The following table lists the events you can choose as trigger criteria from 
the drop-down list, cross-referenced with their corresponding event types. For detailed descriptions of 
discovery event types, see 
Web Application
Select one or more web applications associated with the malware event.
Web Application Category
Select one or more category of web application.
Table 39-3
Syntax for Malware Events (continued)
If you specify...
Select an operator, then...
Table 39-4
Correlation Rule Trigger Criteria vs. Discovery Event Types 
Select this option...
To trigger the rule on this event type...
a client has changed
Client Update
a client timed out
Client Timeout
a host IP address is reused
DHCP: IP Address Reassigned
a host is deleted because the host limit was reached
Host Deleted: Host Limit Reached
a host is identified as a network device
Host Type Changed to Network Device
a host timed out
Host Timeout
a host’s IP address has changed
DHCP: IP Address Changed
a NETBIOS name change is detected
NETBIOS Name Change
a new client is detected
New Client
a new IP host is detected
New Host
a new MAC address is detected
Additional MAC Detected for Host
a new MAC host is detected
New Host
a new network protocol is detected
New Network Protocol
a new transport protocol is detected
New Transport Protocol
a TCP port closed
TCP Port Closed
a TCP port timed out
TCP Port Timeout
a UDP port closed
UDP Port Closed
a UDP port timed out
UDP Port Timeout
a VLAN tag was updated
VLAN Tag Information Update
an IOC was set
Indication of Compromise
an open TCP port is detected
New TCP Port
an open UDP port is detected
New UDP Port
the OS information for a host has changed
New OS
the OS or server identity for a host has a conflict
Identity Conflict
the OS or server identity for a host has timed out
Identity Timeout