Cisco Cisco FirePOWER Appliance 8250
39-17
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Adding a Host Profile Qualification
License:
FireSIGHT
If you are using a connection, intrusion, discovery, user activity, or host input event to trigger your
correlation rule, you can constrain the rule based on the host profile of a host involved in the event. This
constraint is called a host profile qualification.
correlation rule, you can constrain the rule based on the host profile of a host involved in the event. This
constraint is called a host profile qualification.
Note
You cannot add a host profile qualification to a correlation rule that triggers on a malware event, traffic
profile change, or on the detection of a new IP host.
profile change, or on the detection of a new IP host.
For example, you could constrain a correlation rule so that it triggers only when a Microsoft Windows
host is the target of the offending traffic, because only Microsoft Windows computers are vulnerable to
the vulnerability the rule is written for. As another example, you could constrain a correlation rule so
that it triggers only when the host is out of compliance with a white list.
host is the target of the offending traffic, because only Microsoft Windows computers are vulnerable to
the vulnerability the rule is written for. As another example, you could constrain a correlation rule so
that it triggers only when the host is out of compliance with a white list.
To match against implied or generic clients, create a host profile qualification based on the application
protocol used by the server responding to the client. When the client list on a host that acts as the initiator
or source of a connection includes an application protocol name followed by
protocol used by the server responding to the client. When the client list on a host that acts as the initiator
or source of a connection includes an application protocol name followed by
client
, that client may
actually be an implied client. In other words, the system reports that client based on server response
traffic that uses the application protocol for that client, not on detected client traffic.
traffic that uses the application protocol for that client, not on detected client traffic.
For example, if the system reports
HTTPS client
as a client on a host, create a host profile qualification for
Responder Host
or
Destination Host
where
Application Protocol
is set to
HTTPS
, because
HTTPS client
is
reported as a generic client based on the HTTPS server response traffic sent by the responder or
destination host.
destination host.
Total Packets,
Initiator Packets, or
Responder Packets
one of:
•
the total packets transmitted (
Total Packets
)
•
the number of packets transmitted (
Initiator Packets
)
•
the number of packets received (
Responder Packets
)
or
the number of standard deviations either above or below the mean
that one of the above criteria must be in trigger the rule
that one of the above criteria must be in trigger the rule
packets
standard deviation(s)
Unique Initiators
the number of unique hosts that initiated sessions
or
the number of standard deviations either above or below the mean
that the number of unique initiators detected must be to trigger the
rule
that the number of unique initiators detected must be to trigger the
rule
initiators
standard deviation(s)
Unique Responders
the number of unique hosts that responded to sessions
or
the number of standard deviations either above or below the mean
that the number of unique responders detected must be to trigger the
rule
that the number of unique responders detected must be to trigger the
rule
responders
standard deviation(s)
Table 39-10
Syntax for Traffic Profile Changes (continued)
If you specify...
Select an operator, then type...
And then choose one of the
following...
following...