Cisco Cisco FirePOWER Appliance 8390
39-36
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Note
Where the condition syntax allows you to pick a value from a drop-down list, you can often use multiple
values from the list. For more information, see
values from the list. For more information, see
For more information on the syntax for building correlation rule trigger criteria, see:
•
•
•
•
•
•
•
For more information on the syntax for building host profile qualifications, user qualifications, and
connection trackers, see:
connection trackers, see:
•
•
•
•
Adding and Linking Conditions
License:
Any
You can create simple correlation rule triggers, connection trackers, host profile qualifications, and user
qualifications, or you can create more elaborate constructs by combining and nesting conditions.
qualifications, or you can create more elaborate constructs by combining and nesting conditions.
When your construct includes more than one condition, you must link them with an
AND
or an
OR
operator. Conditions on the same level are evaluated together:
•
The
AND
operator requires that all conditions on the level it controls must be met.
•
The
OR
operator requires that at least one of the conditions on the level it controls must be met.
For example, the following correlation rule trigger criteria contains two conditions, linked by
OR
. This
means that the rule triggers if either condition is true, that is, if a host with an IP address is not in the
10.x.x.x subnet or if a host transmits an IGMP message.
10.x.x.x subnet or if a host transmits an IGMP message.