Cisco Cisco Firepower Management Center 4000
39-33
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
When you are finished adding snooze and inactive periods, continue with step
of the procedure in
to save the rule.
Understanding Rule Building Mechanics
License:
Any
You build correlation rules, connection trackers, user qualifications, and host profile qualifications by
specifying the conditions under which they trigger. You can create simple conditions, or you can create
more elaborate constructs by combining and nesting conditions.
specifying the conditions under which they trigger. You can create simple conditions, or you can create
more elaborate constructs by combining and nesting conditions.
For example, if you want to generate a correlation event every time a new host is detected, you can create
a very simple rule with no conditions, as shown in the following graphic.
a very simple rule with no conditions, as shown in the following graphic.
If you wanted to further constrain the rule and generate an event only if that new host was detected on
the 10.4.x.x network, you can add a single condition, as shown in the following graphic.
the 10.4.x.x network, you can add a single condition, as shown in the following graphic.
But the following rule, which detects SSH activity on a non-standard port on the 10.4.x.x network and
the 192.168.x.x network, has four conditions, with the bottom two constituting a complex condition.
the 192.168.x.x network, has four conditions, with the bottom two constituting a complex condition.
The syntax you can use within conditions varies depending on the element you are creating, but the
mechanics are the same.
mechanics are the same.