Cisco Cisco FirePOWER Appliance 7010
39-5
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Providing Basic Rule Information
License:
Any
You must give each correlation rule a name and, optionally, a short description. You can also place the
rule in a rule group.
rule in a rule group.
To provide basic rule information:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Correlation
, then select the
Rule Management
tab.
The Rule Management page appears.
Step 2
Click
Create Rule
.
The Create Rule page appears.
Step 3
On the Create Rule page, in the
Rule Name
field, type a name for the rule.
Step 4
In the
Rule Description
field, type a description for the rule.
Step 5
Optionally, select a group for the rule from the
Rule Group
drop-down list.
For more information on rule groups, see
Step 6
Continue with the procedure in the next section,
Specifying Correlation Rule Trigger Criteria
License:
FireSIGHT, Protection, URL Filtering, or Malware
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
A simple correlation rule requires only that an event of a certain type occurs; you do not need to provide
more specific conditions. For example, correlation rules based on traffic profile changes do not require
any conditions at all. In contrast, correlation rules may be complex, with multiple nested conditions. For
example, the rule shown in the following graphic comprises criteria that direct the rule to trigger if an
IP address that is not in the 10.x.x.x subnet transmits an IGMP message.
more specific conditions. For example, correlation rules based on traffic profile changes do not require
any conditions at all. In contrast, correlation rules may be complex, with multiple nested conditions. For
example, the rule shown in the following graphic comprises criteria that direct the rule to trigger if an
IP address that is not in the 10.x.x.x subnet transmits an IGMP message.
To specify correlation rule trigger criteria:
Access:
Admin/Discovery Admin