Cisco Cisco Firepower Management Center 2000
C H A P T E R
39-1
FireSIGHT System User Guide
39
Configuring Correlation Policies and Rules
You can use the FireSIGHT System’s correlation feature to build correlation policies, which are
populated with correlation rules and compliance white lists, and that let you respond in real time to
threats to your network. A correlation policy violation occurs when the activity on your network triggers
either a correlation rule or white list.
populated with correlation rules and compliance white lists, and that let you respond in real time to
threats to your network. A correlation policy violation occurs when the activity on your network triggers
either a correlation rule or white list.
A correlation rule triggers when a specific event generated by the FireSIGHT System either meets
criteria that you specify, or when your network traffic deviates from your normal network traffic pattern
as characterized in an existing traffic profile.
criteria that you specify, or when your network traffic deviates from your normal network traffic pattern
as characterized in an existing traffic profile.
Compliance white lists, on the other hand, trigger when the system determines that a host on your
network is running a prohibited operating system, client application (or client), application protocol, or
protocol.
network is running a prohibited operating system, client application (or client), application protocol, or
protocol.
You can configure the FireSIGHT System to initiate responses to policy violations. Responses include
simple alerts as well as various remediations (such as scanning a host). You can group responses so that
the system launches multiple responses for each policy violation.
simple alerts as well as various remediations (such as scanning a host). You can group responses so that
the system launches multiple responses for each policy violation.
The following graphic illustrates the event notification and correlation process: