Cisco Cisco Firepower Management Center 4000

Page of 1844
 
39-34
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules 
  Creating Rules for Correlation Policies
Caution
Evaluating complex correlation rules that trigger on frequently occurring events can degrade Defense 
Center performance. For example, a multi-condition rule that the Defense Center must evaluate against 
every connection logged by the system can cause resource overload.
For more information on condition building, see:
  •
  •
  •
Building a Single Condition
License: 
Any
Most conditions have three parts: a category, an operator, and a value; some conditions are more 
complex and contain several categories, each of which may have their own operators and values.
For example, the following correlation rule triggers if a new host is detected on the 10.4.x.x network. 
The category of the condition is 
IP Address
, the operator is 
is in
, and the value is 
10.4.0.0/16
.
To build the correlation rule trigger criteria in the example above:
Access: 
Admin/Discovery Admin
Step 1
Begin building a correlation rule.
For more information, see 
Step 2
On the Create Rule page, under 
Select the type of event for this rule
, select 
a discovery event occurs
, then select 
a new IP host is detected
 from the drop-down list.
Step 3
Start building the rule’s single condition by selecting 
IP Address
 from the first (or category) drop-down 
list.
Step 4
Select 
is in
 from the operator drop-down list that appears.
Tip
When the category represents an IP address, choosing 
is in
 or 
is not in
 as the operator allows you to specify 
whether the IP address is in or is not in a block of IP addresses, as expressed in special notation such as 
CIDR. For information on using IP address notation in the FireSIGHT System, see 
.
Step 5
Type 
10.4.0.0/16
 in the text field.
In contrast, the following host profile qualification is more complex; it constrains a correlation rule such 
that the rule triggers only if the host involved in the discovery event on which the rule is based is running 
a version of Microsoft Windows.