Cisco Cisco Firepower Management Center 4000

FireSIGHT

You can use the Defense Center to view a table of triggered Indications of Compromise (IOC). Then, 
you can manipulate the event view depending on the information you are looking for.

The page you see when you access IOC depends on the workflow you use. Both predefined IOC 
workflows terminate in a host view, which contains a host profile for every host that meets your 
constraints. You can also create a custom workflow that displays only the information that matches your 
specific needs. For more information, see 

.

The following table describes some of the specific actions you can perform on an IOC workflow page. 
You can also perform the tasks described in the 

 table.

Admin/Any Security Analyst

Select 

.

The first page of the default indications of compromise (IOC) workflow appears. To use a different 
workflow, including a custom workflow, click 

. For information on specifying a 

different default workflow, see 

If you are using a custom workflow that does not include the IOC table view, click 

, then 

select

.

FireSIGHT

The FireSIGHT System correlates various types of event data associated with hosts to determine whether 
a host on your monitored network is likely to be compromised by malicious means. These correlations 
appear, associated with the host, as indications of compromise (IOC). You can mark a host IOC as 
resolved, which removes that IOC tag from the host. A host can trigger multiple IOC tags; you can view 

learn more about the contents of the 
columns in the table

find more information in 

view the host profile for a compromised 
host

click the compromised host icon (

) in the 

 

column.

mark selected IOC events resolved so 
they no longer appear in the list

select the check boxes next to the IOC events you want to 
edit, then click 

. For more information, see 

.

view details of events that triggered the 
IOC

click the view icon (

) in the 

 or 

 

columns.