Cisco Cisco FirePOWER Appliance 7020
39-34
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
Caution
Evaluating complex correlation rules that trigger on frequently occurring events can degrade Defense
Center performance. For example, a multi-condition rule that the Defense Center must evaluate against
every connection logged by the system can cause resource overload.
Center performance. For example, a multi-condition rule that the Defense Center must evaluate against
every connection logged by the system can cause resource overload.
For more information on condition building, see:
•
•
•
Building a Single Condition
License:
Any
Most conditions have three parts: a category, an operator, and a value; some conditions are more
complex and contain several categories, each of which may have their own operators and values.
complex and contain several categories, each of which may have their own operators and values.
For example, the following correlation rule triggers if a new host is detected on the 10.4.x.x network.
The category of the condition is
The category of the condition is
IP Address
, the operator is
is in
, and the value is
10.4.0.0/16
.
To build the correlation rule trigger criteria in the example above:
Access:
Admin/Discovery Admin
Step 1
Begin building a correlation rule.
For more information, see
Step 2
On the Create Rule page, under
Select the type of event for this rule
, select
a discovery event occurs
, then select
a new IP host is detected
from the drop-down list.
Step 3
Start building the rule’s single condition by selecting
IP Address
from the first (or category) drop-down
list.
Step 4
Select
is in
from the operator drop-down list that appears.
Tip
When the category represents an IP address, choosing
is in
or
is not in
as the operator allows you to specify
whether the IP address is in or is not in a block of IP addresses, as expressed in special notation such as
CIDR. For information on using IP address notation in the FireSIGHT System, see
CIDR. For information on using IP address notation in the FireSIGHT System, see
.
Step 5
Type
10.4.0.0/16
in the text field.
In contrast, the following host profile qualification is more complex; it constrains a correlation rule such
that the rule triggers only if the host involved in the discovery event on which the rule is based is running
a version of Microsoft Windows.
that the rule triggers only if the host involved in the discovery event on which the rule is based is running
a version of Microsoft Windows.