Cisco Cisco Firepower Management Center 4000

Page of 1844
 
39-15
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules
  Creating Rules for Correlation Policies
Syntax for Traffic Profile Changes
License: 
Any
If you base your correlation rule on a traffic profile change, the rule triggers when network traffic 
deviates from your normal network traffic pattern as characterized in an existing traffic profile. For 
information on how to build a traffic profile, see 
You can trigger the rule based on either raw data or on the statistics calculated from the data. For 
example, you could write a rule that triggers if the amount of data traversing your network (measured in 
bytes) suddenly spikes, which could indicate an attack or other security policy violation. You could 
specify that the rule trigger if either:
  •
the number of bytes traversing your network spikes above a certain number of standard deviations 
above or below the mean amount of traffic
Note that to create a rule that triggers when the number of bytes traversing your network falls outside 
a certain number of standard deviations (whether above or below), you must specify upper and lower 
bounds, as shown in the following graphic.
Initiator Packets, 
 
Responder Packets, or
 
Total Packets
Type one of:
  •
the number of packets transmitted (
Initiator Packets
).
  •
the number of packets received (
Responder Packets
).
  •
the number of packets both transmitted and received (
Total Packets
)
Initiator Port/ICMP Type or 
Responder Port/ICMP Code
Type the port number or ICMP type for initiator traffic or the port number or ICMP code for 
responder traffic.
IOC Tag
Select whether an IOC tag 
is
 or 
is not
 set as a result of the connection event.
NETBIOS Name
Type the NetBIOS name of the monitored host in the connection.
NetFlow Device
Select the IP address of the NetFlow-enabled device that exported the connection data you 
want to use to trigger the correlation rule. If you did not add any NetFlow-enabled devices 
to your deployment, the NetFlow Device drop-down list is blank.
Reason
Select one or more reasons associated with the connection event.
TCP Flags
Select a TCP flag that a connection event must contain in order to trigger the correlation 
rule.
Note
Only connection data exported by NetFlow-enabled devices contain TCP flags.
Transport Protocol
Type the transport protocol used by the connection: 
TCP
 or 
UDP
.
URL
Type all or part of the URL visited in the connection.
URL Category
Select one or more URL categories for the URL visited in the connection.
URL Reputation
Select one or more URL reputation values for the URL visited in the connection.
Username
Type the username of the user logged into either host in the connection.
Web Application
Select one or more web applications associated with the connection.
Web Application Category
Select one or more category of web application.
Table 39-9
Syntax for Connection Events (continued)
If you specify...
Select an operator, then...