Cisco Cisco FirePOWER Appliance 8390
39-13
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
If you base your correlation rule on a host input event, you must first choose the type of host input event
you want to use from a drop-down list. The following table lists the events you can choose as trigger
criteria from the drop-down list, cross-referenced with their corresponding host input event types. For
detailed descriptions of host input event types, see
you want to use from a drop-down list. The following table lists the events you can choose as trigger
criteria from the drop-down list, cross-referenced with their corresponding host input event types. For
detailed descriptions of host input event types, see
You cannot trigger a correlation rule when you add, delete, or change the definition of a user-defined
host attribute, or set a vulnerability impact qualification.
host attribute, or set a vulnerability impact qualification.
After you choose the host input event type, you can build correlation rule conditions as described in the
table below. Depending on the type of host input event you choose, you can build conditions using
subsets of the criteria in the following table. For example, if you trigger your correlation rule when a
client is deleted, you can build conditions based on the IP address of the host involved in the event, the
source type of the deletion (manual, third-party application, or scanner), and the source itself (a specific
scanner type or user).
table below. Depending on the type of host input event you choose, you can build conditions using
subsets of the criteria in the following table. For example, if you trigger your correlation rule when a
client is deleted, you can build conditions based on the IP address of the host involved in the event, the
source type of the deletion (manual, third-party application, or scanner), and the source itself (a specific
scanner type or user).
Syntax for Connection Events
License:
Any
Table 39-7
Correlation Rule Trigger Criteria vs. Host Input Event Types
Select this option...
To trigger the rule on this event type...
a client is added
Add Client
a client is deleted
Delete Client
a host is added
Add Host
a protocol is added
Add Protocol
a protocol is deleted
Delete Protocol
a scan result is added
Add Scan Result
a server definition is set
Set Server Definition
a server is added
Add Port
a server is deleted
Delete Port
a vulnerability is marked invalid
Vulnerability Set Invalid
a vulnerability is marked valid
Vulnerability Set Valid
an address is deleted
Delete Host/Network
an attribute value is deleted
Host Attribute Delete Value
an attribute value is set
Host Attribute Set Value
an OS definition is set
Set Operating System Definition
host criticality is set
Set Host Criticality
Table 39-8
Syntax for Host Input Events
If you specify...
Select an operator, then...
IP Address
Type a single IP address or address block. For information on using IP address notation in the
FireSIGHT System, see
FireSIGHT System, see
Source
Select the source for the host input data.
Source Type
Select the type of the source for the host input data.