Cisco Cisco FirePOWER Appliance 7010
39-45
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Correlation Policies
See
Step 7
Click
Save
.
The policy is saved.
Note
You must activate the policy before it can generate correlation and white list events and launch
responses to policy violations. For more information, see
responses to policy violations. For more information, see
Providing Basic Policy Information
License:
Any
You must give each policy an identifying name. Optionally, you can add a short description to the policy.
You can also assign a user-defined priority to your policy. If your correlation policy is violated, the
resultant correlation events display the priority value you assign to the policy (unless the rule that was
triggered has its own priority).
resultant correlation events display the priority value you assign to the policy (unless the rule that was
triggered has its own priority).
Note
Rule and white list priorities override policy priorities. For more information, see
.
To provide basic policy information:
Access:
Admin/Discovery Admin
Step 1
On the Create Policy page, in the
Policy Name
field, type a name for the policy.
Step 2
In the
Policy Description
field, type a description for the policy.
Step 3
From the
Default Priority
drop-down list, select a priority for the policy.
You can select a priority value from 1 to 5, where 1 is highest and 5 is lowest. Or, you can select
None
to only use the priorities assigned to specific rules.
Step 4
Adding Rules and White Lists to a Correlation Policy
License:
Any
A correlation policy contains one or more correlation rules or white lists. When any rule or white list in
a policy is violated, the system logs an event to the database. If you assigned one or more responses to
the rule or white list, those responses are launched.
a policy is violated, the system logs an event to the database. If you assigned one or more responses to
the rule or white list, those responses are launched.
The following graphic shows a correlation policy composed of a compliance white list and a set of
correlation rules, configured with a variety of responses.
correlation rules, configured with a variety of responses.