Cisco Cisco Firepower Management Center 4000

Note that to use a host profile qualification, the host must exist in the network map and the host profile 
property you want to use as a qualification must already be included in the host profile. For example, if 
you configure a correlation rule to trigger when an intrusion event is generated for a host running 
Windows, the rule only triggers if the host is already identified as Windows when the intrusion event is 
generated.

Admin/Discovery Admin

Select 

, then select the 

 tab.

The Rule Management page appears.

Click 

.

The Create Rule page appears.

On the Create Rule page, click 

.

The Host Profile Qualification section appears.

To remove a host profile qualification, click 

.

Build the host profile qualification’s conditions.

You can create a single, simple condition, or you can create more elaborate constructs by combining and 
nesting conditions. See 

 for information on how to 

use the web interface to build conditions. 

The syntax you can use to build conditions is described in 

Optionally, continue with the procedures in the following sections:

If you are finished building the correlation rule, continue with step 

 of the procedure in 

 to save the rule.

FireSIGHT

When you build a host profile qualification condition, you must first select the host you want to use to 
constrain your correlation rule. The host you can choose depends on the type of event you are using to 
trigger the rule, as follows:

If you are using a connection event, select 

 or 

.

If you are using an intrusion event, select 

 or 

.

If you are using a discovery event, host input event, or user activity, select 

.

After you select the host type, you continue building your host profile qualification condition, as 
described in the following table.