Cisco Cisco Firepower Management Center 4000
39-48
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Managing Correlation Policies
To add responses to rules and white lists:
Access:
Admin/Discovery Admin
Step 1
On the Create Policy page, next to a rule or white list where you want to add responses, click the
responses icon (
responses icon (
).
A pop-up window appears.
Step 2
Under
Unassigned Responses
, select the response, multiple responses, or response group you want to
launch when the rule or white list triggers, and click the up arrow.
Tip
Hold down the Ctrl key while clicking to select multiple responses.
Step 3
Click
Update
.
The Create Policy page appears again. The responses you specified are added to the rule or white list.
Managing Correlation Policies
License:
Any
You manage correlation policies on the Policy Management page. You can create, modify, sort, activate,
deactivate, and delete policies.
deactivate, and delete policies.
The slider next to the policy indicates whether the group is active. If you want the policy to generate
correlation events and white list events, you must activate it. You can sort policies by state (active versus
inactive) or alphabetically by name using the
correlation events and white list events, you must activate it. You can sort policies by state (active versus
inactive) or alphabetically by name using the
Sort by
drop-down list.
If an active correlation policy contains a compliance white list, the following actions do not delete the
host attribute associated with the white list, nor do they change that host attribute’s values:
host attribute associated with the white list, nor do they change that host attribute’s values:
•
deactivating the policy
•
modifying the policy to remove the white list
•
deleting the policy
That is, hosts that were compliant when you performed the action still appear as compliant on the host
attributes network map, and so on. To delete the host attribute, you must delete its corresponding white
list.
attributes network map, and so on. To delete the host attribute, you must delete its corresponding white
list.
To update the white list compliance of the hosts on your network, you must either reactivate the
correlation policy (if you deactivated it) or add the white list to another active correlation policy (if you
deleted the white list from a correlation policy or deleted the policy itself). Note that the reevaluation of
the white list that occurs when you do this does not generate white list events and therefore does not
trigger any responses you associated with the white list. For more information on compliance white lists,
see
correlation policy (if you deactivated it) or add the white list to another active correlation policy (if you
deleted the white list from a correlation policy or deleted the policy itself). Note that the reevaluation of
the white list that occurs when you do this does not generate white list events and therefore does not
trigger any responses you associated with the white list. For more information on compliance white lists,
see
.
For more information on managing correlation policies, see:
•
•
•
For information on creating new policies, see
.