Cisco Cisco FirePOWER Appliance 7030
39-42
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Grouping Correlation Responses
After you create alert responses and remediations, (see
), you can group them so that a policy violation triggers all of the
responses within the group. Before you can assign response groups to correlation rules, you must create
the groups on the Groups page.
the groups on the Groups page.
The slider next to the group indicates whether the group is active. If you want to assign a response group
to a rule within a correlation policy, you must activate it. You can sort response groups by state (active
versus inactive) or alphabetically by name using the
to a rule within a correlation policy, you must activate it. You can sort response groups by state (active
versus inactive) or alphabetically by name using the
Sort by
drop-down list.
See the following sections for more information:
•
•
•
•
Creating a Response Group
License:
Any
You can place individual alerts and remediations in response groups, which can then be assigned to rules
within correlation policies so that a group of alerts and remediations can be launched when a policy is
violated. After a group has been assigned to rules in active policies, changes to the group and to alerts
or remediations within the group are automatically applied to active policies.
within correlation policies so that a group of alerts and remediations can be launched when a policy is
violated. After a group has been assigned to rules in active policies, changes to the group and to alerts
or remediations within the group are automatically applied to active policies.
To create a response group:
Access:
Admin
Step 1
Select
Policies > Correlation
, then click
Groups
.
The Groups page appears.
Step 2
Click
Create Group
.
The Response Group page appears.
Step 3
In the
Name
field, type a name for the new group.
Step 4
Select
Active
to activate the group so that you can use it in response to a correlation policy violation.
Step 5
From the
Available Responses
list, select the alerts and remediations you want to include in the group.
Tip
Hold down the Ctrl key while clicking to select multiple responses.
Step 6
Click
>
to move alerts and remediations into the group.
Conversely, you can select alerts and remediations from the
Responses in Group
list and click
<
to move
the alerts out of the response group.
Step 7
Click
Save
.
The group is created.