Cisco Cisco FirePOWER Appliance 7010
39-46
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Correlation Policies
To add rules or white lists to a correlation policy:
Access:
Admin/Discovery Admin
Step 1
On the Create Policy page, click
Add Rules
.
The Available Rules pop-up appears.
Step 2
Click the appropriate folder name to expand it.
Step 3
Select the rules and white lists that you want to use in the policy and click
Add
.
The Create Policy page appears again. The rules and white lists you selected populate the policy.
Step 4
Continue with the procedure in the next section,
Setting Rule and White List Priorities
License:
Any
You can assign a user-defined priority to each correlation rule or compliance white list in your
correlation policy. If a rule or white list triggers, the resulting event displays the priority you assign to
the rule or white list. On the other hand, if you do not assign a priority value and the rule or white list
triggers, the resulting event displays the priority value of the policy.
correlation policy. If a rule or white list triggers, the resulting event displays the priority you assign to
the rule or white list. On the other hand, if you do not assign a priority value and the rule or white list
triggers, the resulting event displays the priority value of the policy.
For example, consider a policy where the policy itself has a priority of 1 and its rules or white lists are
set with the default priority, with the exception of one rule given a priority of 3. If the priority 3 rule
triggers, the resulting correlation event shows 3 as its priority value. If other rules or white lists in the
policy trigger, the resulting events show 1 as their priority values, retained from the policy’s priority.
set with the default priority, with the exception of one rule given a priority of 3. If the priority 3 rule
triggers, the resulting correlation event shows 3 as its priority value. If other rules or white lists in the
policy trigger, the resulting events show 1 as their priority values, retained from the policy’s priority.
To set rule or white list priorities:
Access:
Admin/Discovery Admin