Cisco Cisco Firepower Management Center 4000

Page of 1844
 
39-13
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules
  Creating Rules for Correlation Policies
If you base your correlation rule on a host input event, you must first choose the type of host input event 
you want to use from a drop-down list. The following table lists the events you can choose as trigger 
criteria from the drop-down list, cross-referenced with their corresponding host input event types. For 
detailed descriptions of host input event types, see 
You cannot trigger a correlation rule when you add, delete, or change the definition of a user-defined 
host attribute, or set a vulnerability impact qualification.
After you choose the host input event type, you can build correlation rule conditions as described in the 
table below. Depending on the type of host input event you choose, you can build conditions using 
subsets of the criteria in the following table. For example, if you trigger your correlation rule when a 
client is deleted, you can build conditions based on the IP address of the host involved in the event, the 
source type of the deletion (manual, third-party application, or scanner), and the source itself (a specific 
scanner type or user).
Syntax for Connection Events
License: 
Any
Table 39-7
Correlation Rule Trigger Criteria vs. Host Input Event Types 
Select this option...
To trigger the rule on this event type...
a client is added
Add Client
a client is deleted
Delete Client
a host is added
Add Host
a protocol is added
Add Protocol
a protocol is deleted
Delete Protocol
a scan result is added
Add Scan Result
a server definition is set
Set Server Definition
a server is added
Add Port
a server is deleted
Delete Port
a vulnerability is marked invalid
Vulnerability Set Invalid
a vulnerability is marked valid
Vulnerability Set Valid
an address is deleted
Delete Host/Network
an attribute value is deleted
Host Attribute Delete Value
an attribute value is set
Host Attribute Set Value
an OS definition is set
Set Operating System Definition
host criticality is set
Set Host Criticality
Table 39-8
Syntax for Host Input Events 
If you specify...
Select an operator, then...
IP Address
Type a single IP address or address block. For information on using IP address notation in the 
FireSIGHT System, see 
Source
Select the source for the host input data.
Source Type
Select the type of the source for the host input data.