Cisco Cisco FirePOWER Appliance 7020
39-39
FireSIGHT System User Guide
Chapter 39 Configuring Correlation Policies and Rules
Creating Rules for Correlation Policies
To link conditions:
Access:
Admin/Discovery Admin
Step 1
Use the drop-down list to the left of a set of conditions. Choose:
•
the
AND
operator to require that all conditions on the level it controls be met
•
the
OR
operator to require that only one of the conditions on the level it controls be met
Using Multiple Values in a Condition
License:
Any
When you are building a condition, and the condition syntax allows you to pick a value from a drop-down
list, you can often use multiple values from the list. For example, if you want to add a host profile
qualification to a rule that requires that a host be running some flavor of UNIX, instead of constructing
multiple conditions linked with the OR operator, use the following procedure.
list, you can often use multiple values from the list. For example, if you want to add a host profile
qualification to a rule that requires that a host be running some flavor of UNIX, instead of constructing
multiple conditions linked with the OR operator, use the following procedure.
To include multiple values in one condition:
Access:
Admin/Discovery Admin
Step 1
Build a condition, choosing
is in
or
is not in
as the operator.
The drop-down list changes to a text field.
Step 2
Click anywhere in the text field or on the
Edit
link.
A pop-up window appears.
Step 3
Under
Available
, use Ctrl or Shift while clicking to select multiple values. You can also click and drag to
select multiple adjacent values.
Step 4
Click the right arrow (
>
) to move the selected entries to
Selected
.
Step 5
Click
OK
.