Cisco Cisco Firepower Management Center 4000
39-19
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Note that although you can configure the network discovery policy to add hosts to the network map based
on data exported by NetFlow-enabled devices, the available information about these hosts is limited. For
example, there is no operating system data available for these hosts, unless you provide it using the host
input feature. In addition, if you use connection data exported by NetFlow-enabled devices, keep in mind
that NetFlow records do not contain information about which host is the initiator and which is the
responder. When the system processes NetFlow records, it uses an algorithm to determine this
information based on the ports each host is using, and whether those ports are well-known. For more
information, see
on data exported by NetFlow-enabled devices, the available information about these hosts is limited. For
example, there is no operating system data available for these hosts, unless you provide it using the host
input feature. In addition, if you use connection data exported by NetFlow-enabled devices, keep in mind
that NetFlow records do not contain information about which host is the initiator and which is the
responder. When the system processes NetFlow records, it uses an algorithm to determine this
information based on the ports each host is using, and whether those ports are well-known. For more
information, see
.
Table 39-11
Syntax for Host Profile Qualifications
If you specify...
Select an operator, then...
Host Type
Select one or more host types. You can choose between a host or one of several types of
network device.
network device.
NETBIOS Name
Type the NetBIOS name of the host.
Operating System > OS Name Select one or more operating system names.
Operating System > OS
Vendor
Vendor
Select one or more operating system vendor names.
Operating System > OS
Version
Version
Select one or more operating system versions.
Hardware
Type the hardware model for the mobile device. For example, to match all Apple iPhones,
type
type
iPhone
.
IOC Tag
Select one or more IOC tags. For more information on IOC tag types, see
Jailbroken
Select
Yes
to indicate that the host in the event is a jailbroken mobile device or
No
to indicate
that it is not.
Mobile
Select
Yes
to indicate that the host in the event is a mobile device or
No
to indicate that it is not.
Network Protocol
Transport Protocol
Host Criticality
Select the host criticality:
None
,
Low
,
Medium
, or
High
. For more information on host criticality,
see
.
VLAN ID
Type the VLAN ID associated with the host.
Application Protocol >
Application Protocol
Select one or more application protocols.
Application Protocol >
Application Port
Type the application protocol port number.
If you are using an intrusion event to trigger the correlation rule, depending on the host you
chose for the host profile qualification, this field is pre-populated with a port in the event:
chose for the host profile qualification, this field is pre-populated with a port in the event:
dst_port
(for
Destination Host
) or
src_port
(for
Source Host
).
Application Protocol >
Protocol
Select one or more protocols.
Application Protocol
Category
Category
Select a category.
Client > Client
Select one or more clients.
Client > Client Version
Type the client version.