Cisco Cisco Firepower Management Center 4000

39-41

FireSIGHT System User Guide

Chapter 39 Configuring Correlation Policies and Rules

Grouping Correlation Responses

Step 1

Select

Policies > Correlation

then select the

Rule Management

tab.

The Rule Management page appears.

Step 2

If the rule is in a rule group, click the group name to expand the group.

Step 3

Next to the rule you want to delete, click the delete icon (

Step 4

Confirm that you want to delete the rule.

The rule is deleted.

Creating a Rule Group

License:

Any

Create rule groups to help you organize correlation rules. The FireSIGHT System ships with many
default rules, which are grouped according to function. For example, the Worms rule group comprises
rules that detect activity by common worms. Note that rule groups exist only to help you organize
correlation rules; you cannot assign a group of rules to a correlation policy. Instead, add each rule
individually.

You can add a rule to an existing group when you create the rule. You can also modify an existing rule
to add it to a group. For more information, see the following sections:

•

Creating Rules for Correlation Policies, page 39-2

•

Modifying a Rule, page 39-40

Tip

To delete a rule group, click the delete icon (

) next to the group you want to delete. When you delete

a rule group, rules that were in the group are not deleted. Rather, they merely become ungrouped

To create a rule group:

Access:

Admin/Discovery Admin

Step 1

Select

Policies > Correlation

then select the

Rule Management

tab.

The Rule Management page appears.

Step 2

Click

Create Group

The Create Group page appears.

Step 3

In the

Group Name

field, type a name for the group.

Step 4

Click

Add Group

The group is added.

Grouping Correlation Responses

License:

Any