Cisco Cisco Firepower Management Center 4000

To create a rule that triggers when the number of bytes traversing is greater than a certain number 
of standard deviations above the mean, use only the first condition shown in the graphic. 

To create a rule that triggers when the number of bytes traversing is greater than a certain number 
of standard deviations below the mean, use only the second condition.

the number of bytes traversing your network spikes above a certain number of bytes 

You can select the 

 check box (see 

), to trigger the 

correlation rule based on rates of change between data points. If you wanted to use velocity data in the 
above example, you could specify that the rule triggers if either:

the change in the number of bytes traversing your network spikes above or below a certain number 
of standard deviations above the mean rate of change

the change in the number of bytes traversing your network spikes above a certain number of bytes

The following table describes how to build a condition in a correlation rule when you choose a traffic 
profile change as the base event. If your traffic profile uses connection data exported by 
NetFlow-enabled devices, see 

 to learn 

about how the detection method can affect the data used to create your traffic profile.

Number of Connections

the total number of connections detected

the number of standard deviations either above or below the mean 
that the number of connections detected must be in to trigger the rule

connections

standard deviation(s)

Total Bytes,

 

Initiator Bytes, or

 

Responder Bytes

one of:

the total bytes transmitted (

)

the number of bytes transmitted (

)

the number of bytes received (

)

the number of standard deviations either above or below the mean 
that one of the above criteria must be in to trigger the rule

bytes

standard deviation(s)