1
00:00:00,540 --> 00:00:07,560
The firepower management council can be configured with correlation policies that can send alerts and

2
00:00:07,560 --> 00:00:15,390
even take action if specific events that you define are triggered to help show you how you can build

3
00:00:15,390 --> 00:00:19,160
correllation rules to distinguish significant alerts.

4
00:00:19,170 --> 00:00:26,580
I'm going to get into the lab fire power management center to build a correlation rule.

5
00:00:26,580 --> 00:00:26,880
All right.

6
00:00:26,880 --> 00:00:34,170
So to start off with our correlation policies we're going to want to go to policies and then correlation

7
00:00:39,970 --> 00:00:40,370
Okay.

8
00:00:40,370 --> 00:00:49,040
So before I create a correlation policy first I want to make my rule that will be used to match on an

9
00:00:49,040 --> 00:01:01,080
event so I'll go to the rule management tab and then create rule.

10
00:01:01,140 --> 00:01:10,390
So for this example I'm going to create a correlation for if there are any mail or events so I call

11
00:01:10,390 --> 00:01:16,760
this rule mail where events.

12
00:01:16,850 --> 00:01:20,600
So here we have intrusion events you can match on Discovery.

13
00:01:20,600 --> 00:01:25,430
So you could actually trigger an event on a Firepower.

14
00:01:25,430 --> 00:01:29,030
Notice that there was a new Saab introduced to the firepower.

15
00:01:29,090 --> 00:01:40,300
Apology user misconnection but I'm going to select a malware event occurs and then I'm going to select

16
00:01:40,330 --> 00:01:47,680
a network based malware detection because I have fire power appliances within the lab network and I

17
00:01:47,680 --> 00:01:53,740
don't have the amp and base solution within the lab so I'm just going to match our network based malware

18
00:01:53,740 --> 00:01:54,670
detection.

19
00:01:55,000 --> 00:02:00,520
And then if you wanted to be more specific if you hit this dropdown you could choose things like which

20
00:02:00,520 --> 00:02:07,650
application protocol you want it to match on file type IP addressing.

21
00:02:07,840 --> 00:02:15,160
I'm going to choose the disposition which is the status of the file is it a clean file or known or malware.

22
00:02:15,160 --> 00:02:18,300
And then is malwares the default option.

23
00:02:18,340 --> 00:02:21,570
So I just want to know if any network based malware events occur in my network.

24
00:02:21,640 --> 00:02:23,440
I want to be notified.

25
00:02:23,890 --> 00:02:26,620
So I'll hit save.

26
00:02:26,710 --> 00:02:30,560
So we have a rule which is the event we're matching on.

27
00:02:30,670 --> 00:02:38,680
And then ultimately when we create our policy that's going to say if this event occurs we're going to

28
00:02:39,160 --> 00:02:40,870
apply this action.

29
00:02:40,870 --> 00:02:42,390
So we haven't created or action yet.

30
00:02:42,400 --> 00:02:44,540
So let's go ahead and do that.

31
00:02:44,680 --> 00:02:48,280
We'll go to actions and then alerts

32
00:02:52,010 --> 00:02:52,870
as you can see here.

33
00:02:52,870 --> 00:02:55,660
I already have a CIS log alert define.

34
00:02:55,850 --> 00:03:06,720
But for this example we'll create an SMP alert because SMP I trap server IP address

35
00:03:12,630 --> 00:03:18,920
on my SMP information using S&amp;P version 3.

36
00:03:19,970 --> 00:03:22,060
That's kind of lame that you can only slatted does.

37
00:03:22,070 --> 00:03:28,540
I would think that on a secure device like this you could pick A-S something but it's only SMP.

38
00:03:28,580 --> 00:03:29,990
So no big deal.

39
00:03:32,800 --> 00:03:33,420
Save

40
00:03:36,530 --> 00:03:43,450
All right now that we have our alert created as you can see here it shows that it's not in use but it

41
00:03:43,450 --> 00:03:51,730
is enabled so once we create our policy and tie our rule and alert it together it'll show as in use.

42
00:03:51,970 --> 00:03:54,340
So we'll go back to policies and correllation

43
00:04:01,100 --> 00:04:04,980
and we'll create a new correllation policy.

44
00:04:10,290 --> 00:04:14,880
All right so a call this malware policy

45
00:04:17,530 --> 00:04:19,650
that we have to add our rule to it.

46
00:04:20,540 --> 00:04:23,130
So we'll choose our malware events rule.

47
00:04:23,360 --> 00:04:24,050
Click at

48
00:04:29,530 --> 00:04:34,770
so in other words policy knows what to match on.

49
00:04:34,770 --> 00:04:37,200
We have to give a response.

50
00:04:37,200 --> 00:04:45,100
So we'll go here to the responses at Barton and then we'll assign a response to it.

51
00:04:45,770 --> 00:04:57,430
So I select my ass and and the other I created push it up and hit update.

52
00:04:57,430 --> 00:04:58,330
All right so that's it.

53
00:04:58,330 --> 00:05:04,660
Now we have our malware policy defined in firepower so that we can be alerted if there are any significant

54
00:05:04,990 --> 00:05:06,580
malware events.