Cisco Cisco Firepower Management Center 2000

FireSIGHT

If you base your correlation rule on user activity, you must first choose the type of user activity you want 
to use from a drop-down list, either:

a user logged into a host, or

a new user identity was detected

After you choose the user activity type, you can build correlation rule conditions as described in the table 
below. Depending on the type of user activity you choose, you can build conditions using subsets of the 
criteria in the following table; for correlation rules triggered on new user identity, you cannot specify an 
IP address.

FireSIGHT

MAC Vendor

Type all or part of the name of the MAC hardware vendor of the NIC used by the network traffic 
that triggered the discovery event.

Mobile

Select 

 to indicate that the host in the event is a mobile device or 

 to indicate that it is not.

NETBIOS Name

Type the NetBIOS name of the host.

Network Protocol

OS Name

Select one or more operating system names.

OS Vendor

Select one or more operating system vendors.

OS Version

Select one or more operating system versions.

Protocol or

 

Transport Protocol

Source

Select the source of the host input data (for operating system and server identity changes and 
timeouts).

Source Type

Select the type of the source for the host input data (for operating system and server identity 
changes and timeouts).

VLAN ID

Type the VLAN ID of the host involved in the event.

Web Application

Select a web application.

Device

Select one or more devices that may have detected the user activity.

IP Address

Type a single IP address or address block. For information on using IP address notation in the 
FireSIGHT System, see 

Username

Type a username.