Cisco Cisco Firepower Management Center 4000

Admin/Any Security Analyst

In the host profile’s 

 section, click the view icon (

) in the 

 or 

 

column for the IOC tag you want to investigate.

The table view of events for the appropriate event that triggered the IOC appears, constrained to show 
only the triggering event. If you are viewing the host profile page in a separate window, the event view 
appears in the main window.

FireSIGHT

After you have analyzed and addressed the threats indicated by an IOC tag, or if you determine that an 
IOC tag represents a false positive, you can mark a tag resolved. Marking an IOC tag resolved removes 
it from the host profile; when all active IOC tags on a host are resolved, the host no longer appears 
marked with the compromised host icon (

). Note that you can still view the IOC-triggering events for 

the resolved IOC.

If the events that triggered a host’s IOC tag recur, the tag is set again. You can resolve individual IOC 
tags on a host or mark all of a host’s tags as resolved.

Admin/Any Security Analyst

In the host profile’s 

 section, you have two options:

To mark an individual IOC tag resolved, click the resolve icon (

) to the right of the tag you want 

to resolve.

To mark all IOC tags on a host resolved, click 

.

Your changes are saved and the IOC tags you selected are removed.

FireSIGHT

The system passively detects the identity of the operating system running on a host by analyzing the 
network and application stack in traffic generated by the host or by analyzing host data reported by the 
User Agent. The system also collates operating system information from other sources, such as the Nmap