Cisco Cisco FirePOWER Appliance 8250
39-12
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Syntax for User Activity Events
License:
FireSIGHT
If you base your correlation rule on user activity, you must first choose the type of user activity you want
to use from a drop-down list, either:
to use from a drop-down list, either:
•
a user logged into a host, or
•
a new user identity was detected
After you choose the user activity type, you can build correlation rule conditions as described in the table
below. Depending on the type of user activity you choose, you can build conditions using subsets of the
criteria in the following table; for correlation rules triggered on new user identity, you cannot specify an
IP address.
below. Depending on the type of user activity you choose, you can build conditions using subsets of the
criteria in the following table; for correlation rules triggered on new user identity, you cannot specify an
IP address.
Syntax for Host Input Events
License:
FireSIGHT
MAC Vendor
Type all or part of the name of the MAC hardware vendor of the NIC used by the network traffic
that triggered the discovery event.
that triggered the discovery event.
Mobile
Select
Yes
to indicate that the host in the event is a mobile device or
No
to indicate that it is not.
NETBIOS Name
Type the NetBIOS name of the host.
Network Protocol
OS Name
Select one or more operating system names.
OS Vendor
Select one or more operating system vendors.
OS Version
Select one or more operating system versions.
Protocol or
Transport Protocol
Source
Select the source of the host input data (for operating system and server identity changes and
timeouts).
timeouts).
Source Type
Select the type of the source for the host input data (for operating system and server identity
changes and timeouts).
changes and timeouts).
VLAN ID
Type the VLAN ID of the host involved in the event.
Web Application
Select a web application.
Table 39-5
Syntax for Discovery Events (continued)
If you specify...
Select an operator, then...
Table 39-6
Syntax for User Activity
If you specify...
Select an operator, then...
Device
Select one or more devices that may have detected the user activity.
IP Address
Type a single IP address or address block. For information on using IP address notation in the
FireSIGHT System, see
FireSIGHT System, see
Username
Type a username.