Cisco Cisco Firepower Management Center 2000

You can create a single, simple condition, or you can create more elaborate constructs by combining and 
nesting conditions. See 

 for information on how to 

use the web interface to build conditions. 

The syntax you can use to build conditions is described in 

.

Optionally, continue with 

.

If you are finished building the correlation rule, continue with step 

 of the procedure in 

 to save the rule.

FireSIGHT

When you build a user qualification condition, you must first select the identity you want to use to 
constrain your correlation rule. The identity you can choose depends on the type of event you are using 
to trigger the rule, as follows:

If you are using a connection event, select 

or 

.

If you are using an intrusion event, select 

or 

.

If you are using a discovery event, select 

.

If you are using a host input event, select 

.

After you select the user type, you continue building your user qualification condition, as described in 
the following table.

The Defense Center obtains certain information about users, including first and last names, department, 
telephone number, and email address, from an optional Defense Center-LDAP server connection; see 

. This information may not be 

available for all users in the database.

Any

Username

Type the username of the user you want to use to constrain the correlation rule.

Authentication Protocol

Select an authentication protocol (or user type) protocol. This is the protocol that was used to 
detect the user.

First Name

Type the first name of the user you want to use to constrain the correlation rule.

Last Name

Type the last name of the user you want to use to constrain the correlation rule.

Department

Type the department of the user you want to use to constrain the correlation rule.

Phone

Type the telephone number of the user you want to use to constrain the correlation rule.

Email

Type the email address of the user you want to use to constrain the correlation rule.