Cisco Cisco FirePOWER Appliance 8360
35-22
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Creating a Network Discovery Policy
Security Intelligence Event IOC Types
License:
FireSIGHT+Protection
Supported Devices:
All except Series 2
Supported Defense Centers:
All except DC500
The following IOC type is associated with Security Intelligence events, a type of connection event. The
Security Intelligence feature requires a Protection license. For more information on configuring Security
Intelligence and viewing Security Intelligence events, see
Security Intelligence feature requires a Protection license. For more information on configuring Security
Intelligence and viewing Security Intelligence events, see
and
.
•
CnC Connected — Security Intelligence Event - CnC
Viewing and Editing Indications of Compromise Data
License:
FireSIGHT
Outside of the network discovery policy itself, you can view and edit indications of compromise (IOC)
data in several other parts of the FireSIGHT System web interface:
data in several other parts of the FireSIGHT System web interface:
•
In the dashboard, the Threats tab of the Summary Dashboard displays, by default, IOC tags by host
and new IOC rules triggered over time. The Custom Analysis widget offers presets based on IOC
data. For information, see
and new IOC rules triggered over time. The Custom Analysis widget offers presets based on IOC
data. For information, see
and
•
The Indications of Compromise section of the Context Explorer displays graphs of hosts by IOC
category and IOC categories by host. For information, see
category and IOC categories by host. For information, see
•
Event views for discovery (IOC), connection, Security Intelligence, intrusion, and malware events
display (in the IOC column) whether an event triggered an IOC rule. Endpoint-based malware events
that trigger IOC rules have the event type FireAMP IOC and appear with an event subtype that
specifies the compromise. You can write compliance rules against all IOC data that appears in the
event viewer. For more information, see the following sections:
display (in the IOC column) whether an event triggered an IOC rule. Endpoint-based malware events
that trigger IOC rules have the event type FireAMP IOC and appear with an event subtype that
specifies the compromise. You can write compliance rules against all IOC data that appears in the
event viewer. For more information, see the following sections:
•
•
•
•
•
•
The Indications of Compromise tab of the network map lists hosts on your monitored network,
grouped by IOC tag. For information, see
grouped by IOC tag. For information, see
.
•
In the host profile view for a potentially compromised host, you can view all IOC tags associated
with that host, resolve any or all of its IOC tags, and configure IOC rule states. For information, see
with that host, resolve any or all of its IOC tags, and configure IOC rule states. For information, see
.
Creating a Network Discovery Policy
License:
FireSIGHT