Cisco Cisco Firepower Management Center 2000
39-32
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
You can configure snooze periods in correlation rules. When a correlation rule triggers, a snooze period
instructs the Defense Center to stop firing that rule for a specified interval, even if the rule is violated
again during the interval. When the snooze period has elapsed, the rule can trigger again (and start a new
snooze period).
instructs the Defense Center to stop firing that rule for a specified interval, even if the rule is violated
again during the interval. When the snooze period has elapsed, the rule can trigger again (and start a new
snooze period).
For example, you may have a host on your network that should never generate traffic. A simple
correlation rule that triggers whenever the system detects a connection involving that host may create
multiple correlation events in a short period of time, depending on the network traffic to and from the
host. To limit the number of correlation events exposing your policy violation, you can add a snooze
period so that the Defense Center generates a correlation event only for the first connection (within a
time period that you specify) that the system detects involving that host.
correlation rule that triggers whenever the system detects a connection involving that host may create
multiple correlation events in a short period of time, depending on the network traffic to and from the
host. To limit the number of correlation events exposing your policy violation, you can add a snooze
period so that the Defense Center generates a correlation event only for the first connection (within a
time period that you specify) that the system detects involving that host.
You can also set up inactive periods in correlation rules. During inactive periods, the correlation rule will
not trigger. You can set up inactive periods to recur daily, weekly, or monthly. For example, you might
perform a nightly Nmap scan on your internal network to look for host operating system changes. In that
case, you could set a daily inactive period on the affected correlation rules for the time and duration of
your scan so that those rules do not trigger erroneously.
not trigger. You can set up inactive periods to recur daily, weekly, or monthly. For example, you might
perform a nightly Nmap scan on your internal network to look for host operating system changes. In that
case, you could set a daily inactive period on the affected correlation rules for the time and duration of
your scan so that those rules do not trigger erroneously.
The following graphic shows a portion of a correlation rule that is configured with a snooze period and
an inactive period.
an inactive period.
To add a snooze period:
Access:
Admin/Discovery Admin
Step 1
On the Create Profile page, under
Rule Options
, specify the interval that the Defense Center should wait
to trigger a rule again, after the rule triggers.
Tip
To remove a snooze period, specify an interval of
0
(seconds, minutes, or hours).
To add an inactive period:
Access:
Admin/Discovery Admin
Step 1
On the Create Profile page, under
Rule Options
, click
Add Inactive Period
.
Step 2
Using the drop-down lists and text field, specify when and how often you want the Defense Center to
refrain from evaluating network traffic against the correlation rule.
refrain from evaluating network traffic against the correlation rule.
Tip
To delete an inactive period, click the delete icon (
) next to the inactive period you want to delete.