Cisco Cisco Firepower Management Center 4000
37-7
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Indications of Compromise in the Host Profile
The system detects IP addresses associated with hosts and, where supported, groups multiple IP
addresses used by the same host. IPv6 hosts usually have at least two IPv6 addresses: local-only and
globally routable. They may also have one or more assigned IPv4 addresses. IPv4-only hosts may have
multiple IPv4 addresses.
addresses used by the same host. IPv6 hosts usually have at least two IPv6 addresses: local-only and
globally routable. They may also have one or more assigned IPv4 addresses. IPv4-only hosts may have
multiple IPv4 addresses.
The host profile lists all detected IP addresses associated with that host. Where available, IP addresses
also feature a small flag icon and ISO country code that indicate the associated country. You can click
the flag icon or country code for further geolocation details. For more information, see
also feature a small flag icon and ISO country code that indicate the associated country. You can click
the flag icon or country code for further geolocation details. For more information, see
Note that only the first three addresses are shown by default. Click
show all
to show all addresses for a
host.
Working with Indications of Compromise in the Host Profile
License:
FireSIGHT
The FireSIGHT System can correlate various types of data (intrusion events, Security Intelligence,
connection events, and file or malware events) associated with hosts to determine whether a host on your
monitored network is likely to be compromised by malicious means. Certain combinations and
frequencies of event data trigger indications of compromise (IOC) tags on affected hosts. The Indications
of Compromise section of the host profile displays all IOC tags for a host. In this section, you can view
details of the threats facing the host, jump to the events that triggered an IOC tag, edit IOC rule states,
as well as resolve IOC tags that are no longer relevant.
connection events, and file or malware events) associated with hosts to determine whether a host on your
monitored network is likely to be compromised by malicious means. Certain combinations and
frequencies of event data trigger indications of compromise (IOC) tags on affected hosts. The Indications
of Compromise section of the host profile displays all IOC tags for a host. In this section, you can view
details of the threats facing the host, jump to the events that triggered an IOC tag, edit IOC rule states,
as well as resolve IOC tags that are no longer relevant.
To use the IOC feature, you must activate the feature and at least one IOC rule in your discovery policy.
You can also edit IOC rule states for individual hosts from that host’s host profile page. Each IOC rule
corresponds to one type of IOC tag; you can activate any or all rules depending on your organization’s
needs. For more information on IOC in the discovery policy and overall, see
You can also edit IOC rule states for individual hosts from that host’s host profile page. Each IOC rule
corresponds to one type of IOC tag; you can activate any or all rules depending on your organization’s
needs. For more information on IOC in the discovery policy and overall, see
.
In addition to its presence in the host profile, you can also analyze IOC data in the event viewer. For
more information, see
more information, see
.
Descriptions of the IOC information fields displayed in the host profile follow.
IP Address
The IP address associated with the host that triggered the IOC.
Category
Brief description of the type of compromise indicated, such as
Malware Executed
or
Impact 1
Attack
.
Event Type
Identifier associated with a specific Indication of Compromise (IOC), referring to the event that
triggered it.
triggered it.
Description
Description of what threatens the potentially compromised host, such as
This host may be under
remote control
or
Malware has been executed on this host
.
First/Last Seen
The first (or most recent) date and time that events triggering a host’s IOC occurred.