Adding Responses to Rules and Allow Lists

You can associate each correlation rule or allow list with a single response or group of responses. If network traffic triggers multiple rules or allow lists, the system launches all the responses associated with each rule and allow list. Note that an Nmap remediation does not launch when used as a response to a traffic profile change.

In a multidomain deployment, you can use responses created in the current domain or in ancestor domains.

Procedure

Step 1

In the correlation policy editor, next to a rule or allow list where you want to add responses, click Responses (comment icon).

Step 2

Under Unassigned Responses, choose the responses you want to launch when the rule or allow list triggers, and click the up arrow (^).

Step 3

Click Update.