Cisco Cisco Firepower Management Center 4000

FireSIGHT+Protection

All except Series 2

All except DC500

The following IOC type is associated with Security Intelligence events, a type of connection event. The 
Security Intelligence feature requires a Protection license. For more information on configuring Security 
Intelligence and viewing Security Intelligence events, see 

 and 

.

CnC Connected — Security Intelligence Event - CnC

FireSIGHT

Outside of the network discovery policy itself, you can view and edit indications of compromise (IOC) 
data in several other parts of the FireSIGHT System web interface:

In the dashboard, the Threats tab of the Summary Dashboard displays, by default, IOC tags by host 
and new IOC rules triggered over time. The Custom Analysis widget offers presets based on IOC 
data. For information, see 

 and 

The Indications of Compromise section of the Context Explorer displays graphs of hosts by IOC 
category and IOC categories by host. For information, see 

Event views for discovery (IOC), connection, Security Intelligence, intrusion, and malware events 
display (in the IOC column) whether an event triggered an IOC rule. Endpoint-based malware events 
that trigger IOC rules have the event type FireAMP IOC and appear with an event subtype that 
specifies the compromise. You can write compliance rules against all IOC data that appears in the 
event viewer. For more information, see the following sections:

The Indications of Compromise tab of the network map lists hosts on your monitored network, 
grouped by IOC tag. For information, see 

.

In the host profile view for a potentially compromised host, you can view all IOC tags associated 
with that host, resolve any or all of its IOC tags, and configure IOC rule states. For information, see 

.

FireSIGHT