Cisco Cisco Firepower Management Center 4000
37-8
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Indications of Compromise in the Host Profile
For additional information on working with IOC data in the host profile, see the following sections:
•
•
•
Editing Indication of Compromise Rule States for a Single Host
License:
FireSIGHT
For your system to detect and tag indications of compromise (IOC), you must first activate the IOC
feature in the discovery policy and activate at least one IOC rule (either policy-wide or for individual
hosts). From the host profile, you can set the IOC rule states that apply to that individual host. For more
information on configuring IOC in the discovery policy and setting policy-wide IOC rule states, see
feature in the discovery policy and activate at least one IOC rule (either policy-wide or for individual
hosts). From the host profile, you can set the IOC rule states that apply to that individual host. For more
information on configuring IOC in the discovery policy and setting policy-wide IOC rule states, see
.
From the host profile, you can access and edit the list of IOC rules with the
Edit Rule States
link in the
Indications of Compromise section. You can enable any or all rules, depending on the needs of your
network and organization. For example, if hosts using software such as Microsoft Excel never appear on
your monitored network, you may decide not to enable the IOC tags that pertain to Excel-based threats.
network and organization. For example, if hosts using software such as Microsoft Excel never appear on
your monitored network, you may decide not to enable the IOC tags that pertain to Excel-based threats.
All IOC rules are predefined by Cisco; you cannot create original rules, although you can write
compliance rules against triggered IOC tags. For more information, see
compliance rules against triggered IOC tags. For more information, see
. Each IOC rule is triggered by only one type of event (such as malware or intrusion)
and corresponds to one specific IOC tag. Both rule and tag have identical Category, Event Type, and
Description data for easy correspondence; the Edit page for IOC rule states also lists an event data
Source for each rule, to give you a clear picture of what system features you need for a rule to trigger.
Description data for easy correspondence; the Edit page for IOC rule states also lists an event data
Source for each rule, to give you a clear picture of what system features you need for a rule to trigger.
To edit Indication of Compromise rule states for a host:
Access:
Admin/Any Security Analyst
Step 1
In a host profile, click
Edit Rule States
in the
Indications of Compromise
section.
The Edit Indication of Compromise Rule States page appears in a new window.
Step 2
In the
Enabled
column for a rule, click the slider to enable or disable it.
Step 3
Click
Save
.
Your changes are saved.
Viewing Source Events for Indications of Compromise
License:
FireSIGHT
You can use the Indications of Compromise section to navigate quickly to the events that triggered IOC
tags on a host. Analyzing these events can give you the information you need to determine what, and
whether, action is required to address threats to a potentially compromised host.
tags on a host. Analyzing these events can give you the information you need to determine what, and
whether, action is required to address threats to a potentially compromised host.
Clicking the view icon (
) next to the timestamp of an IOC tag navigates to the table view of events
for the relevant event type, constrained to show only the event that triggered the IOC tag.
For more information on the types of events and features that trigger IOC tags, see the following: