Cisco Cisco Firepower Management Center 4000

Page of 1844
 
39-47
FireSIGHT System User Guide
 
Chapter 39      Configuring Correlation Policies and Rules
  Creating Correlation Policies
Step 1
On the Create Policy page, from the 
Priority
 list for each rule or white list, select a default priority. You 
can select:
  •
a priority value from 1 to 5, where 1 is highest and 5 is lowest
 
None
 
Default
 to use the policy’s default priority
Step 2
Continue with the procedure in the next section, 
Adding Responses to Rules and White Lists
License: 
Any
Within a correlation policy, you can map each rule or white list to a single response or to a group of 
responses. When any one of the rules or white lists in a policy is violated, the system logs an associated 
event to the database and launches the responses assigned to that rule or white list. If multiple rules or 
white lists within a policy trigger, the Defense Center launches the responses associated with each rule 
or white list. 
For more information on creating responses and response groups, see:
  •
  •
  •
Note
Do not assign an Nmap remediation as a response to a correlation rule that triggers on a traffic profile 
change. The remediation will not launch.
The following graphic shows a correlation policy composed of a compliance white list and a set of 
correlation rules, configured with a variety of responses.