Cisco Cisco Firepower Management Center 4000
39-52
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Working with Correlation Events
Tip
If you are using a custom workflow that does not include the table view of correlation events, click
(switch workflow)
, then select
Correlation Events
.
Understanding the Correlation Events Table
License:
Any
When a correlation rule triggers, the Defense Center generates a correlation event. The fields in the
correlation events table are described in the following table.
correlation events table are described in the following table.
Table 39-17
Correlation Event Fields
Field
Description
Time
The date and time that the correlation event was generated.
Impact
The impact level assigned to the correlation event based on the correlation between intrusion
data, discovery data, and vulnerability information. For more information, see
data, discovery data, and vulnerability information. For more information, see
Inline Result
One of:
•
a black down arrow, indicating that the system dropped the packet that triggered the
intrusion rule
intrusion rule
•
a gray down arrow, indicating that the system would have dropped the packet in an
inline, switched, or routed deployment if you enabled the
inline, switched, or routed deployment if you enabled the
Drop when Inline
intrusion
policy option
•
blank, indicating that the triggered intrusion rule was not set to Drop and Generate
Events
Events
Note that the system does not drop packets in a passive deployment, including when an
inline set is in tap mode, regardless of the rule state or the drop behavior of the intrusion
policy. For more information, see
inline set is in tap mode, regardless of the rule state or the drop behavior of the intrusion
policy. For more information, see
, and
Source IP or
Destination IP
The IP address of the source or destination host in the event that triggered the policy
violation.
violation.
Source User or
Destination User
The name of the user logged in to the source or destination host in the event that triggered
the policy violation.
the policy violation.
Source Port/ICMP Type or
Destination Port/ICMP Code
Destination Port/ICMP Code
The source port or ICMP type for the source traffic or the destination port or ICMP code for
destination traffic associated with the event that triggered the policy violation.
destination traffic associated with the event that triggered the policy violation.
Description
The description of the correlation event. The information in the description depends on how
the rule was triggered.
the rule was triggered.
For example, if the rule was triggered by an operating system information update event, the
new operating system name and confidence level appears.
new operating system name and confidence level appears.
Policy
The name of the policy that was violated.
Rule
The name of the rule that triggered the policy violation.
Priority
The priority specified by the policy or rule that triggered the policy violation.