Cisco Cisco Firepower Management Center 4000

Page of 1844
 
37-8
FireSIGHT System User Guide
 
Chapter 37      Using Host Profiles 
  Working with Indications of Compromise in the Host Profile
For additional information on working with IOC data in the host profile, see the following sections:
  •
  •
  •
Editing Indication of Compromise Rule States for a Single Host
License: 
FireSIGHT
For your system to detect and tag indications of compromise (IOC), you must first activate the IOC 
feature in the discovery policy and activate at least one IOC rule (either policy-wide or for individual 
hosts). From the host profile, you can set the IOC rule states that apply to that individual host. For more 
information on configuring IOC in the discovery policy and setting policy-wide IOC rule states, see 
.
From the host profile, you can access and edit the list of IOC rules with the 
Edit Rule States
 link in the 
Indications of Compromise section. You can enable any or all rules, depending on the needs of your 
network and organization. For example, if hosts using software such as Microsoft Excel never appear on 
your monitored network, you may decide not to enable the IOC tags that pertain to Excel-based threats.
All IOC rules are predefined by Cisco; you cannot create original rules, although you can write 
compliance rules against triggered IOC tags. For more information, see 
. Each IOC rule is triggered by only one type of event (such as malware or intrusion) 
and corresponds to one specific IOC tag. Both rule and tag have identical Category, Event Type, and 
Description data for easy correspondence; the Edit page for IOC rule states also lists an event data 
Source for each rule, to give you a clear picture of what system features you need for a rule to trigger.
To edit Indication of Compromise rule states for a host:
Access: 
Admin/Any Security Analyst
Step 1
In a host profile, click 
Edit Rule States
 in the 
Indications of Compromise
 section.
The Edit Indication of Compromise Rule States page appears in a new window.
Step 2
In the 
Enabled
 column for a rule, click the slider to enable or disable it.
Step 3
Click 
Save
.
Your changes are saved.
Viewing Source Events for Indications of Compromise
License: 
FireSIGHT
You can use the Indications of Compromise section to navigate quickly to the events that triggered IOC 
tags on a host. Analyzing these events can give you the information you need to determine what, and 
whether, action is required to address threats to a potentially compromised host.
Clicking the view icon (
) next to the timestamp of an IOC tag navigates to the table view of events 
for the relevant event type, constrained to show only the event that triggered the IOC tag.
For more information on the types of events and features that trigger IOC tags, see the following: