Cisco Cisco Firepower Management Center 4000
39-11
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Note that you cannot trigger a correlation rule on hops changes, or when the system drops a new host
due to reaching the licensed host limit. You can, however, choose
due to reaching the licensed host limit. You can, however, choose
there is any type of event
to trigger the
rule when any type of discovery event occurs.
After you choose the discovery event type, you can build correlation rule conditions as described in the
table below. Depending on the type of event you choose, you can build conditions using subsets of the
criteria in the following table. For example, if you trigger your correlation rule when a new client is
detected, you can build conditions based on the IP or MAC address of the host, the client name, type, or
version, and the device that detected the event.
table below. Depending on the type of event you choose, you can build conditions using subsets of the
criteria in the following table. For example, if you trigger your correlation rule when a new client is
detected, you can build conditions based on the IP or MAC address of the host, the client name, type, or
version, and the device that detected the event.
there is any kind of event
any event type
there is new information about a MAC address
MAC Information Change
there is new information about a TCP server
TCP Server Information Update
there is new information about a UDP server
UDP Server Information Update
Table 39-4
Correlation Rule Trigger Criteria vs. Discovery Event Types (continued)
Select this option...
To trigger the rule on this event type...
Table 39-5
Syntax for Discovery Events
If you specify...
Select an operator, then...
Application Protocol
Select one or more application protocols.
Application Protocol
Category
Category
Select one or more category of application protocol.
Application Port
Type the application protocol port number.
Client
Select one or more clients.
Client Category
Select one or more category of client.
Client Version
Type the version number of the client.
Device
Select one or more devices that may have generated the discovery event.
Hardware
Type the hardware model for the mobile device. For example, to match all Apple iPhones, type
iPhone
.
Host Type
Select one or more host types from the drop-down list. You can choose between a host or one of
several types of network device.
several types of network device.
IP Address or
New IP Address
Type a single IP address or address block. For information on using IP address notation in the
FireSIGHT System, see
FireSIGHT System, see
Jailbroken
Select
Yes
to indicate that the host in the event is a jailbroken mobile device or
No
to indicate
that it is not.
MAC Address
Type all or part of the MAC address of the host.
For example, if you know that devices from a certain hardware manufacturer have MAC
addresses that begin with 0A:12:34, you could choose
addresses that begin with 0A:12:34, you could choose
begins with
as the operator, then type
0A:12:34
as the value.
MAC Type
Select whether the MAC address was
ARP/DHCP Detected
.
That is, select whether the system positively identified the MAC address as belonging to the host
(
(
is ARP/DHCP Detected
), or whether the system is seeing many hosts with that MAC address
because, for example, there is a router between the managed device and the host (
is not ARP/DHCP
Detected
).