Cisco Cisco Firepower Management Center 4000
36-4
FireSIGHT System User Guide
Chapter 36 Using the Network Map
Working with the Indications of Compromise Network Map
network devices identified by a MAC address. This network map view also provides a count of all unique
network devices detected by the system, regardless of whether the devices have one IP address or
multiple IP addresses.
network devices detected by the system, regardless of whether the devices have one IP address or
multiple IP addresses.
If you create a custom topology for your network, the labels you assign to your subnets appear in the
network devices network map.
network devices network map.
The methods the system uses to distinguish network devices include:
•
the analysis of Cisco Discovery Protocol (CDP) messages, which can identify network devices and
their types (Cisco devices only)
their types (Cisco devices only)
•
the detection of the Spanning Tree Protocol (STP), which identifies a device as a switch or bridge
•
the detection of multiple hosts using the same MAC address, which identifies the MAC address as
belonging to a router
belonging to a router
•
the detection of TTL value changes from the client side, or TTL values that change more frequently
than a typical boot time, which identify NAT devices and load balancers
than a typical boot time, which identify NAT devices and load balancers
If a network device communicates using CDP, it may have one or more IP addresses. If it communicates
using STP, it may only have a MAC address.
using STP, it may only have a MAC address.
You cannot delete network devices from the network map, because the system uses their locations to
determine network topology (including generating network hops and TTL values for monitored hosts).
determine network topology (including generating network hops and TTL values for monitored hosts).
The host profile for a network device has a Systems section rather than an Operating Systems section,
which includes a Hardware column that reflects the hardware platform for any mobile devices detected
behind the network device. If a value for a hardware platform is listed under Systems, that system
represents a mobile device or devices detected behind the network device. Note that mobile devices may
or may not have hardware platform information, but hardware platform information is never detected for
systems that are not mobile devices.
which includes a Hardware column that reflects the hardware platform for any mobile devices detected
behind the network device. If a value for a hardware platform is listed under Systems, that system
represents a mobile device or devices detected behind the network device. Note that mobile devices may
or may not have hardware platform information, but hardware platform information is never detected for
systems that are not mobile devices.
To view the network devices network map:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Hosts > Network Map > Network Devices
.
The network devices network map appears, displaying a count of unique network devices and a list of
network device IP addresses and MAC addresses. Each address or partial address is a link to the next
level of addresses or to the host profile for an individual host.
network device IP addresses and MAC addresses. Each address or partial address is a link to the next
level of addresses or to the host profile for an individual host.
Step 2
Drill down to the specific IP address or MAC address of the network device you want to investigate.
The host profile for the network device appears. For more information on host profiles, see
.
Step 3
Optionally, to filter by IP or MAC addresses, type an address in the search field. To clear the search, click
the clear icon (
the clear icon (
).
Working with the Indications of Compromise Network Map
License:
FireSIGHT
Use the indications of compromise (IOC) network map to view the compromised hosts on your network,
organized by IOC category. Affected hosts are listed beneath each category.
organized by IOC category. Affected hosts are listed beneath each category.