Cisco Cisco Firepower Management Center 4000

39-36

FireSIGHT System User Guide

Chapter 39 Configuring Correlation Policies and Rules

Creating Rules for Correlation Policies

Note

Where the condition syntax allows you to pick a value from a drop-down list, you can often use multiple
values from the list. For more information, see

Using Multiple Values in a Condition, page 39-39

For more information on the syntax for building correlation rule trigger criteria, see:

•

Syntax for Intrusion Events, page 39-7

•

Syntax for Malware Events, page 39-9

•

Syntax for Discovery Events, page 39-10

•

Syntax for User Activity Events, page 39-12

•

Syntax for Host Input Events, page 39-12

•

Syntax for Connection Events, page 39-13

•

Syntax for Traffic Profile Changes, page 39-15

For more information on the syntax for building host profile qualifications, user qualifications, and
connection trackers, see:

•

Syntax for Host Profile Qualifications, page 39-18

•

Syntax for Connection Trackers, page 39-22

•

Syntax for Connection Tracker Events, page 39-25

•

Syntax for User Qualifications, page 39-31

Adding and Linking Conditions

License:

Any

You can create simple correlation rule triggers, connection trackers, host profile qualifications, and user
qualifications, or you can create more elaborate constructs by combining and nesting conditions.

When your construct includes more than one condition, you must link them with an

AND

or an

operator. Conditions on the same level are evaluated together:

•

The

AND

operator requires that all conditions on the level it controls must be met.

•

The

operator requires that at least one of the conditions on the level it controls must be met.

For example, the following correlation rule trigger criteria contains two conditions, linked by

. This

means that the rule triggers if either condition is true, that is, if a host with an IP address is not in the
10.x.x.x subnet or if a host transmits an IGMP message.