Cisco Cisco Firepower Management Center 4000
35-20
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Indications of Compromise
In addition, Cisco strongly recommends that you configure your NetFlow-enabled devices to output
records only when monitored sessions close. If you configure your NetFlow-enabled devices to output
records at fixed intervals, analyzing the connection data derived from the NetFlow records may be more
complicated; see
records only when monitored sessions close. If you configure your NetFlow-enabled devices to output
records at fixed intervals, analyzing the connection data derived from the NetFlow records may be more
complicated; see
.
Finally, note that the Sampled NetFlow feature available on some NetFlow-enabled devices collects
NetFlow statistics on only a subset of packets that pass through the devices. Although enabling this
feature can improve CPU utilization on the NetFlow-enabled device, it may affect the data you are
collecting for analysis by the system.
NetFlow statistics on only a subset of packets that pass through the devices. Although enabling this
feature can improve CPU utilization on the NetFlow-enabled device, it may affect the data you are
collecting for analysis by the system.
Understanding Indications of Compromise
License:
FireSIGHT
As a part of network discovery, the FireSIGHT System’s Data Correlator can correlate various types of
data (intrusion events, Security Intelligence, connection events, and malware events) associated with
hosts to determine whether a host on your monitored network is likely to be compromised by malicious
means. These correlations are known as indications of compromise (IOC). You activate this feature by
enabling it and any of many Cisco-predefined IOC rules in the discovery policy editor. When the feature
is enabled, you can also edit rule states for individual hosts from that host’s host profile. Each IOC rule
corresponds to one specific IOC tag, which is associated with a host.
data (intrusion events, Security Intelligence, connection events, and malware events) associated with
hosts to determine whether a host on your monitored network is likely to be compromised by malicious
means. These correlations are known as indications of compromise (IOC). You activate this feature by
enabling it and any of many Cisco-predefined IOC rules in the discovery policy editor. When the feature
is enabled, you can also edit rule states for individual hosts from that host’s host profile. Each IOC rule
corresponds to one specific IOC tag, which is associated with a host.
In addition to the Data Correlator, endpoint-based Collective Security Intelligence Cloud data can also
generate IOC tags from IOC rules. Because this data examines activity on a host itself — such as actions
taken by or on individual programs — it can provide insights into possible threats that network-only data
cannot. FireAMP IOC data from endpoints is transmitted via the FireAMP cloud connection.
generate IOC tags from IOC rules. Because this data examines activity on a host itself — such as actions
taken by or on individual programs — it can provide insights into possible threats that network-only data
cannot. FireAMP IOC data from endpoints is transmitted via the FireAMP cloud connection.
Hosts with active IOC tags appear in the IP Address columns of event views with a compromised host
icon (
icon (
) instead of the normal host icon (
). Event views for events that can trigger IOC tags indicate
whether an event triggered an IOC.
Understanding Indications of Compromise Types
License:
FireSIGHT
There are several tens of Indications of Compromise (IOC) rule and tag types. All are Cisco-predefined,
and one IOC rule corresponds to one IOC tag. Because IOC rules trigger based on data provided by other
features of the FireSIGHT System (and, for some events, the FireAMP cloud), those features must be
available and active for IOC rules to set IOC tags. The lists below detail IOC rule types, the features with
which they are associated, and any additional licensing requirements (beyond the FireSIGHT license
required for network discovery):
and one IOC rule corresponds to one IOC tag. Because IOC rules trigger based on data provided by other
features of the FireSIGHT System (and, for some events, the FireAMP cloud), those features must be
available and active for IOC rules to set IOC tags. The lists below detail IOC rule types, the features with
which they are associated, and any additional licensing requirements (beyond the FireSIGHT license
required for network discovery):
•
•
•
Endpoint-Based Malware Event IOC Types
License:
FireSIGHT
The following IOC types are associated with endpoint-based malware events, which require a FireAMP
cloud subscription. For more information on configuring endpoint-based malware protection, see
cloud subscription. For more information on configuring endpoint-based malware protection, see
and