Cisco Cisco Firepower Management Center 4000
39-47
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Correlation Policies
Step 1
On the Create Policy page, from the
Priority
list for each rule or white list, select a default priority. You
can select:
•
a priority value from 1 to 5, where 1 is highest and 5 is lowest
•
None
•
Default
to use the policy’s default priority
Step 2
Continue with the procedure in the next section,
Adding Responses to Rules and White Lists
License:
Any
Within a correlation policy, you can map each rule or white list to a single response or to a group of
responses. When any one of the rules or white lists in a policy is violated, the system logs an associated
event to the database and launches the responses assigned to that rule or white list. If multiple rules or
white lists within a policy trigger, the Defense Center launches the responses associated with each rule
or white list.
responses. When any one of the rules or white lists in a policy is violated, the system logs an associated
event to the database and launches the responses assigned to that rule or white list. If multiple rules or
white lists within a policy trigger, the Defense Center launches the responses associated with each rule
or white list.
For more information on creating responses and response groups, see:
•
•
•
Note
Do not assign an Nmap remediation as a response to a correlation rule that triggers on a traffic profile
change. The remediation will not launch.
change. The remediation will not launch.
The following graphic shows a correlation policy composed of a compliance white list and a set of
correlation rules, configured with a variety of responses.
correlation rules, configured with a variety of responses.