Cisco Cisco FirePOWER Appliance 8130
40-5
FireSIGHT System User Guide
Chapter 40 Creating Traffic Profiles
Adding a Host Profile Qualification
Adding a Host Profile Qualification
License:
FireSIGHT
You can constrain any traffic profile with information from the host profile of the tracked hosts. This
constraint is called a host profile qualification. For example, as shown in the following graphic, you
could collect connection data only for hosts that are assigned a host criticality of
constraint is called a host profile qualification. For example, as shown in the following graphic, you
could collect connection data only for hosts that are assigned a host criticality of
high
.
To use a host profile qualification, the host must exist in the database and the host profile property you
want to use as a qualification must already be included in the host profile. For example, if you configure
a correlation policy rule to trigger when an intrusion event is generated on a host running Windows, the
rule only triggers if the host is already identified as Windows when the intrusion event is generated.
want to use as a qualification must already be included in the host profile. For example, if you configure
a correlation policy rule to trigger when an intrusion event is generated on a host running Windows, the
rule only triggers if the host is already identified as Windows when the intrusion event is generated.
To add a host profile qualification:
Access:
Admin/Discovery Admin
Step 1
On the Create Profile page, click
Add Host Profile Qualification
.
The Host Profile Qualification section appears.
Step 2
Build the host profile qualification’s conditions.
You can create a single, simple condition, or you can create more elaborate constructs by combining and
nesting conditions. See
nesting conditions. See
for information
building conditions.
The syntax you can use to build conditions is described in
.
Tip
To remove a host profile qualification, click
Remove Host Profile Qualification
.
Responder Port/ICMP
Code
Code
Type the port number or ICMP code.
Transport Protocol
Type
TCP
or
UDP
as the transport protocol.
Web Application
Select a web application name from the drop-down list of available web applications.
Web Application Category
Select a web application category name from the drop-down list of available categories.
Table 40-1
Syntax for Profile Conditions (continued)
If you specify...
Select an operator, then...