Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

1540

Configuring Correlation Policies and Rules

Creating Rules for Correlation Policies

Chapter 36

Syntax for Discovery Events

: FireSIGHT

If you base your correlation rule on a discovery event, you must first choose the 

type of event you want to use from a drop-down list. The following table lists the 

events you can choose as trigger criteria from the drop-down list, 

cross-referenced with their corresponding event types. For detailed descriptions 

of discovery event types, see 

page 1453.

Correlation Rule Trigger Criteria vs. Discovery Event Types 

a client has changed

Client Update

a client timed out

Client Timeout

a host ip address is reused

DHCP: IP Address Reassigned

a host is deleted because the host limit 

was reached

Host Deleted: Host Limit 

Reached

a host is identified as a network device

Host Type Changed to Network 

Device

a host timed out

Host Timeout

a host’s IP address has changed

DHCP: IP Address Changed

a NETBIOS name change is detected

NETBIOS Name Change

a new client is detected

New Client

a new IP host is detected

New Host

a new MAC address is detected

Additional MAC Detected for 

Host

a new MAC host is detected

New Host

a new network protocol is detected

New Network Protocol

a new transport protocol is detected

New Transport Protocol

a TCP port closed

TCP Port Closed