Cisco Cisco Firepower Management Center 4000
39-53
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Working with Correlation Events
For more information on displaying the correlation events table, see the following:
•
•
Searching for Correlation Events
License:
Any
You can search for specific correlation events. You may want to create searches customized for your
network environment, then save them to reuse later. The following table describes the search criteria you
can use.
network environment, then save them to reuse later. The following table describes the search criteria you
can use.
Source Host Criticality or
Destination Host Criticality
Destination Host Criticality
The user-assigned host criticality of the source or destination host involved in the
correlation event:
correlation event:
None
,
Low
,
Medium
, or
High
.
Note that only correlation events generated by rules based on discovery events, host input
events, or connection events contain a source host criticality. For more information on host
criticality, see
events, or connection events contain a source host criticality. For more information on host
criticality, see
.
Ingress Security Zone or
Egress Security Zone
The ingress or egress security zone in the intrusion or connection event that triggered the
policy violation.
policy violation.
Device
The name of the device that generated the event that triggered the policy violation.
Ingress Interface or
Egress Interface
The ingress or egress interface in the intrusion or connection event that triggered the policy
violation.
violation.
Count
The number of events that match the information that appears in each row. Note that the
Count
field appears only after you apply a constraint that creates two or more identical rows.
Table 39-17
Correlation Event Fields (continued)
Field
Description
Table 39-18
Correlation Event Search Criteria
Field
Search Criteria Rules
Policy
Type the name of the correlation policy you want to search for.
Rule
Type the name of the correlation rule you want to search for.
Description
Type all or part of the correlation event description. The information in the description
depends on the event that caused the rule to trigger.
depends on the event that caused the rule to trigger.
Priority
Specify the priority of the correlation event, which is determined by the priority of
either the triggered rule or the violated correlation policy. Enter
either the triggered rule or the violated correlation policy. Enter
none
for no priority.
For information on setting correlation rule and policy priorities, see
Source IP,
Destination IP, or
Source/Destination IP
Specify the IP address of the source, destination, or source or destination hosts in the
event that triggered the policy violation. You can specify a single IP address or address
block, or a comma-separated list of either or both. You can also use negation. See
event that triggered the policy violation. You can specify a single IP address or address
block, or a comma-separated list of either or both. You can also use negation. See
for more information.
Source User or
Destination User
Specify the user logged in to the source or destination host in the event that triggered
the policy violation.
the policy violation.