Cisco Cisco Firepower Management Center 4000
39-24
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Note that you can often use event data when constructing a connection tracker. For example, assume your
correlation rule triggers when the system detects a new client on one of your monitored hosts; that is,
the rule triggers when a system event whose base event type is
correlation rule triggers when the system detects a new client on one of your monitored hosts; that is,
the rule triggers when a system event whose base event type is
a new client is detected
is generated.
Further assume that when you detect this new client, you want to track connections involving the new
client on the host where it was detected. Because the system knows the IP address of the host and the
client name, you can build a simple connection tracker that tracks those connections.
client on the host where it was detected. Because the system knows the IP address of the host and the
client name, you can build a simple connection tracker that tracks those connections.
In fact, when you add a connection tracker to this type of correlation rule, the connection tracker is
populated with those default constraints; that is, the
populated with those default constraints; that is, the
Initiator/Responder IP
is set to the
Event IP Address
and
the
Client
is set to the
Event Client
.
Initiator Bytes,
Responder Bytes, or
Total Bytes
Type one of:
•
the number of bytes transmitted (
Initiator Bytes
)
•
the number of bytes received (
Responder Bytes
)
•
the number of bytes both transmitted and received (
Total Bytes
)
Initiator Packets,
Responder Packets, or
Total Packets
Type one of:
•
the number of packets transmitted (
Initiator Packets
)
•
the number of packets received (
Responder Packets
)
•
the number of packets both transmitted and received (
Total Packets
)
Initiator Port/ICMP Type or
Responder Port/ICMP Code
Responder Port/ICMP Code
Type the port number or ICMP type for initiator traffic or the port number or ICMP code
for responder traffic.
for responder traffic.
IOC Tag
Select whether an IOC tag
is
or
is not
set.
NETBIOS Name
Type the NetBIOS name of the monitored host in the connection.
NetFlow Device
Select the IP address of the NetFlow-enabled device that exported the connections you want
to track. If you did not add any NetFlow-enabled devices to your deployment, the NetFlow
Device drop-down list is blank.
to track. If you did not add any NetFlow-enabled devices to your deployment, the NetFlow
Device drop-down list is blank.
Reason
Select one or more reasons associated with the connections you want to track.
TCP Flags
Select the TCP flag that connections must contain in order to track them.
Note
Only connections exported by NetFlow-enabled devices contain TCP flag data.
Transport Protocol
Type the transport protocol used by the connection:
TCP
or
UDP
.
URL
Type all or part of the URL visited in the connections you want to track.
URL Category
Select one or more URL categories for the URL visited in the connections you want to
track.
track.
URL Reputation
Select one or more URL reputation values for the URL visited in the connections you want
to track
to track
Username
Type the username of the user logged into either host in the connections you want to track.
Web Application
Select one or more web applications.
Web Application Category
Select one or more web application categories.
Table 39-12
Syntax for Connection Trackers (continued)
If you specify...
Select an operator, then...