Configure Correlation Policy on FMC

Available Languages

Download Options

  • PDF     (594.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (704.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (604.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 24, 2024
Document ID:222535

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure to configure a Correlation Policy to connect events and detect anomalies on your network.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these products:

    • Secure Firewall Management Center (FMC)
    • Secure Firewall Threat Defense (FTD)

    Components Used

    The information in this document is based on these software and hardware versions:

    • Firepower Threat Defense for VMware version 7.6.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Correlation Policies are used to identify potential security threats on your network by configuring different types of events, and are used for remediation, conditional alerts, and traffic policies.

    Configure

    Configure Correlation Rules

    Step 1. Navigate to Policies > Correlation and select Rule Management.

    Navigation to Correlation Policy Menu

    Image 1. Navigation to Correlation Policy Menu

    Step 2. Create a new rule by selecting Create Rule.

    Rule Creation on Rule Management Menu

    Image 2. Rule Creation on Rule Management Menu

    Step 3. Select an event type and the conditions to match the rule.

    When your rule contains multiple conditions, you must link them with AND or an OR operator.

    Rule Creation Menu

    Image 3. Rule Creation Menu

    Note: Correlation Rules must not be generic, if the rule is constantly triggered by normal traffic, this can consume additional CPU and affect FMC performance.

    Configure Alerts

    Step 1. Navigate to Policies > Actions > Alerts.

    Navigation to Alerts Menu

    Image 4. Navigation to Alerts Menu

    Step 2. Select Create Alert and create either a Syslog, SNMP or email alert.

    Create Alert

    Image 5. Create Alert

    Step 3. Verify the alert is enabled.

    Configure Correlation Policy 

    Step 1. Navigate to Policies > Correlation.

    Navigation to Correlation Policy MenuNavigation to Correlation Policy Menu

    Image 6. Navigation to Correlation Policy Menu

    Step 2. Create a new Correlation Policy. Select the default priority. Use None to use the specific rules' priorities.

    Navigation to Correlation Policy Menu

    Image 7. Create New Correlation Policy

    Step 3. Add rules to the policy by selecting Add Rules.

    Create New Correlation Policy

    Image 8. Add Rules and Select Priority for Correlation Policy

    Add Rules and Select Priority for Correlation Policy

    Image 9. Select Rules to Add to the Correlation Policy

    Step 4. Assign a response to the rule from the alerts you created, so whenever it is triggered, it sends the selected alert type.

    Select Rules to Add to the Correlation Policy

    Image 10. Add Responses' Button

    Add Responses' Button

    Image 11. Assign Responses to Correlation Rule

    Step 5. Save and enable your Correlation Policy.

    Assign Responses to Correlation Rule

    Image 12. Response Added Correctly to the Correlation Rule

    Enable Correlation Policy

    Image 13. Enable Correlation Policy

    Revision History

    Revision Publish Date Comments
    1.0
    24-Oct-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Oscar Santino Lopez Cervantes
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products