Cisco Cisco Firepower Management Center 4000
37-9
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Operating Systems in the Host Profile
•
•
•
To view source events for an Indications of Compromise tag:
Access:
Admin/Any Security Analyst
Step 1
In the host profile’s
Indications of Compromise
section, click the view icon (
) in the
First Seen
or
Last Seen
column for the IOC tag you want to investigate.
The table view of events for the appropriate event that triggered the IOC appears, constrained to show
only the triggering event. If you are viewing the host profile page in a separate window, the event view
appears in the main window.
only the triggering event. If you are viewing the host profile page in a separate window, the event view
appears in the main window.
Resolving Indications of Compromise
License:
FireSIGHT
After you have analyzed and addressed the threats indicated by an IOC tag, or if you determine that an
IOC tag represents a false positive, you can mark a tag resolved. Marking an IOC tag resolved removes
it from the host profile; when all active IOC tags on a host are resolved, the host no longer appears
marked with the compromised host icon (
IOC tag represents a false positive, you can mark a tag resolved. Marking an IOC tag resolved removes
it from the host profile; when all active IOC tags on a host are resolved, the host no longer appears
marked with the compromised host icon (
). Note that you can still view the IOC-triggering events for
the resolved IOC.
If the events that triggered a host’s IOC tag recur, the tag is set again. You can resolve individual IOC
tags on a host or mark all of a host’s tags as resolved.
tags on a host or mark all of a host’s tags as resolved.
To resolve an Indications of Compromise tag:
Access:
Admin/Any Security Analyst
Step 1
In the host profile’s
Indications of Compromise
section, you have two options:
•
To mark an individual IOC tag resolved, click the resolve icon (
) to the right of the tag you want
to resolve.
•
To mark all IOC tags on a host resolved, click
Mark All Resolved
.
Your changes are saved and the IOC tags you selected are removed.
Working with Operating Systems in the Host Profile
License:
FireSIGHT
The system passively detects the identity of the operating system running on a host by analyzing the
network and application stack in traffic generated by the host or by analyzing host data reported by the
User Agent. The system also collates operating system information from other sources, such as the Nmap
network and application stack in traffic generated by the host or by analyzing host data reported by the
User Agent. The system also collates operating system information from other sources, such as the Nmap