Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1540
Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Chapter 36
Syntax for Discovery Events
L
ICENSE
: FireSIGHT
If you base your correlation rule on a discovery event, you must first choose the
type of event you want to use from a drop-down list. The following table lists the
events you can choose as trigger criteria from the drop-down list,
cross-referenced with their corresponding event types. For detailed descriptions
of discovery event types, see
Correlation Rule Trigger Criteria vs. Discovery Event Types
S
ELECT
THIS
OPTION
...
T
O
TRIGGER
THE
RULE
ON
THIS
EVENT
TYPE
...
a client has changed
Client Update
a client timed out
Client Timeout
a host ip address is reused
DHCP: IP Address Reassigned
a host is deleted because the host limit
was reached
Host Deleted: Host Limit
Reached
a host is identified as a network device
Host Type Changed to Network
Device
a host timed out
Host Timeout
a host’s IP address has changed
DHCP: IP Address Changed
a NETBIOS name change is detected
NETBIOS Name Change
a new client is detected
New Client
a new IP host is detected
New Host
a new MAC address is detected
Additional MAC Detected for
Host
a new MAC host is detected
New Host
a new network protocol is detected
New Network Protocol
a new transport protocol is detected
New Transport Protocol
a TCP port closed
TCP Port Closed