Cisco Cisco FirePOWER Appliance 7020
39-41
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Grouping Correlation Responses
Step 1
Select
Policies > Correlation
,
then select the
Rule Management
tab.
The Rule Management page appears.
Step 2
If the rule is in a rule group, click the group name to expand the group.
Step 3
Next to the rule you want to delete, click the delete icon (
).
Step 4
Confirm that you want to delete the rule.
The rule is deleted.
Creating a Rule Group
License:
Any
Create rule groups to help you organize correlation rules. The FireSIGHT System ships with many
default rules, which are grouped according to function. For example, the Worms rule group comprises
rules that detect activity by common worms. Note that rule groups exist only to help you organize
correlation rules; you cannot assign a group of rules to a correlation policy. Instead, add each rule
individually.
default rules, which are grouped according to function. For example, the Worms rule group comprises
rules that detect activity by common worms. Note that rule groups exist only to help you organize
correlation rules; you cannot assign a group of rules to a correlation policy. Instead, add each rule
individually.
You can add a rule to an existing group when you create the rule. You can also modify an existing rule
to add it to a group. For more information, see the following sections:
to add it to a group. For more information, see the following sections:
•
•
Tip
To delete a rule group, click the delete icon (
) next to the group you want to delete. When you delete
a rule group, rules that were in the group are not deleted. Rather, they merely become ungrouped
To create a rule group:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Correlation
,
then select the
Rule Management
tab.
The Rule Management page appears.
Step 2
Click
Create Group
.
The Create Group page appears.
Step 3
In the
Group Name
field, type a name for the group.
Step 4
Click
Add Group
.
The group is added.
Grouping Correlation Responses
License:
Any