Cisco Cisco Firepower Management Center 4000
39-54
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Working with Correlation Events
To search for correlation events:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Table
drop-down list, select
Correlation Events
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Source Port/ICMP Type or
Destination Port/ICMP Code
Specify the source port or ICMP type for source traffic or destination port or ICMP
code for destination traffic associated with the event that triggered the policy
violation.
code for destination traffic associated with the event that triggered the policy
violation.
Impact
Specify the impact flag assigned to the correlation event. Valid case-insensitive values
are
are
Impact 0, Impact Level 0
,
Impact 1, Impact Level 1
,
Impact 2, Impact
Level 2
,
Impact 3, Impact Level 3
,
Impact 4,
and
Impact Level 4
. Do not use
impact icon colors or partial strings (for example, do not use
blue
,
level 1
, or
0
). For
more information, see
.
Inline Result
For policy violations triggered by intrusion events, type either:
•
dropped
, to specify whether the packet was dropped in an inline, switched, or
routed deployment
•
would have dropped
, to specify whether the packet would have dropped if the
intrusion policy had been set to drop packets in an inline, switched, or routed
deployment
deployment
Note that the system does not drop packets in a passive deployment, including when
an inline set is in tap mode, regardless of the rule state or the drop behavior of the
intrusion policy. For more information, see
an inline set is in tap mode, regardless of the rule state or the drop behavior of the
intrusion policy. For more information, see
, and
Source Host Criticality or
Destination Host Criticality
Specify the host criticality of the source or destination host involved in the policy
violation:
violation:
None
,
Low
,
Medium
, or
High
. Note that only correlation events generated by
rules based on discovery events, host input events, or connection events contain a
source host criticality. For more information on host criticality, see
source host criticality. For more information on host criticality, see
.
Ingress Security Zone,
Egress Security Zone, or
Ingress/Egress Security Zone
Specify the ingress, egress, or ingress or egress security zone in the intrusion or
connection event that triggered the policy violation.
connection event that triggered the policy violation.
Device
Type the name, group name, or IP address of the device that generated the event that
triggered the policy violation. See
triggered the policy violation. See
,
, and
.
Ingress Interface or
Egress Interface
Specify the ingress or egress interface in the intrusion or connection event that
triggered the policy violation.
triggered the policy violation.
Table 39-18
Correlation Event Search Criteria (continued)
Field
Search Criteria Rules