Cisco Cisco Firepower Management Center 4000
39-14
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
If you base your correlation rule on a connection event, you must first choose whether you want to
evaluate events that represent the beginning or ending of the connection, or either the beginning or the
end. After you choose the connection event type, you can build correlation rule conditions as described
in
evaluate events that represent the beginning or ending of the connection, or either the beginning or the
end. After you choose the connection event type, you can build correlation rule conditions as described
in
.
When you build rule conditions, you should make sure that your network traffic can trigger the rules.
The information available for any individual connection or connection summary event depends on
several factors, including the detection method, the logging method, and event type. For more
information, see
The information available for any individual connection or connection summary event depends on
several factors, including the detection method, the logging method, and event type. For more
information, see
.
Table 39-9
Syntax for Connection Events
If you specify...
Select an operator, then...
Access Control Policy
Select one or more access control policies that logged the connection.
Access Control Rule Action
Select one or more actions associated with the access control rule that logged the
connection.
connection.
Note
Select
Monitor
to trigger correlation events when network traffic matches the
conditions of any Monitor rule, regardless of the rule or default action that later
handles the connection.
handles the connection.
Access Control Rule Name
Type all or part of the name of the access control rule that logged the connection.
Note
You can type the name of any Monitor rule whose conditions were matched by a
connection, regardless of the rule or default action that later handled the connection.
connection, regardless of the rule or default action that later handled the connection.
Application Protocol
Select one or more application protocols associated with the connection.
Application Protocol Category
Select one or more category of application protocol.
Client
Select one or more clients.
Client Category
Select one or more category of client.
Client Version
Type the version number of the client.
Connection Duration
Type the duration of the connection event, in seconds.
Connection Type
Select whether you want to trigger the correlation rule based on whether the connection was
detected by a Cisco managed device (
detected by a Cisco managed device (
FireSIGHT) or was exported by a NetFlow-enabled
device (
NetFlow
).
Device
Select one or more devices that either detected the connection, or that processed the
connection (for connection data exported by a NetFlow-enabled device).
connection (for connection data exported by a NetFlow-enabled device).
Egress Interface or
Ingress Interface
Select one or more interfaces.
Egress Security Zone or
Ingress Security Zone
Select one or more security zones.
Initiator Bytes,
Responder Bytes, or
Total Bytes
Type one of:
•
the number of bytes transmitted (
Initiator Bytes
).
•
the number of bytes received (
Responder Bytes
).
•
the number of bytes both transmitted and received (
Total Bytes
).
Initiator IP,
Responder IP, or
Initiator/Responder IP
Specify a single IP address, an address block, or a comma-separated list comprised of any
of these. For information on using IP address notation and prefix lengths in the FireSIGHT
System, see
of these. For information on using IP address notation and prefix lengths in the FireSIGHT
System, see
.