Cisco Cisco Firepower Management Center 2000
39-22
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
•
the maximum duration of the connection tracker, that is, the time period during which the conditions
you specify must be met to generate a correlation event
you specify must be met to generate a correlation event
Tip
You can add a connection tracker to a simple correlation rule that requires only that any connection,
intrusion, discovery, user identity, or host input event occurs.
intrusion, discovery, user identity, or host input event occurs.
To add a connection tracker:
Access:
Admin/Discovery Admin
Step 1
On the Create Rule page, click
Add Connection Tracker
.
The Connection Tracker section appears.
Tip
To remove a connection tracker, click
Remove Connection Tracker
.
Step 2
Specify which connections you want to track by setting connection tracker criteria.
You can set connection tracker criteria by creating a single, simple condition, or you can create more
elaborate constructs by combining and nesting conditions.
elaborate constructs by combining and nesting conditions.
See
for information on how to use the web
interface to build conditions. The syntax you can use to build connection tracker conditions is described
in
in
Step 3
Based on the connections you decided to track in step
, describe when you want to generate a
correlation event.
You can create a single, simple condition that describes when you want to generate an event, or you can
create more elaborate constructs by combining and nesting conditions.
create more elaborate constructs by combining and nesting conditions.
You must also specify the interval (in seconds, minutes, or hours) during which the conditions you
specify must be met to generate a correlation event.
specify must be met to generate a correlation event.
See
for information on how to use the web
interface to build conditions. The syntax you can use to build connection tracker conditions is described
in
in
.
Step 4
Optionally, continue with the procedures in the following sections:
•
•
If you are finished building the correlation rule, continue with step
of the procedure in
to save the rule.
Syntax for Connection Trackers
License:
Any
The
table describes how to build a connection tracker condition that
specifies the kind of connections you want to track.