Cisco Cisco Firepower Management Center 4000
38-32
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Indications of Compromise
all IOC tags associated with a host in the Indications of Compromise section of the host profile. For more
information on IOC data in the host profile, see
information on IOC data in the host profile, see
Descriptions of the fields in the IOC table follow below.
IP Address
The IP address associated with the host that triggered the IOC.
Category
Brief description of the type of compromise indicated, such as
Malware Executed
or
Impact 1
Attack
.
Event Type
Identifier associated with a specific Indication of Compromise (IOC), referring to the event that
triggered it.
triggered it.
Description
Description of what the IOC means for the potentially compromised host, such as
This host may
be under remote control
or
Malware has been executed on this host
.
First/Last Seen
The first (or most recent) date and time that events triggering a host’s IOC occurred.
Searching for Indications of Compromise
License:
FireSIGHT
You can search for specific indications of compromise (IOC) tags triggered on monitored hosts by using
one of the predefined searches or by using your own search criteria. The predefined searches serve as
examples and can provide quick access to important information about your network.
one of the predefined searches or by using your own search criteria. The predefined searches serve as
examples and can provide quick access to important information about your network.
You may want to modify specific fields within the default searches to customize them for your network
environment, then save them to reuse later. The fields you can use to retrieve data are described in
environment, then save them to reuse later. The fields you can use to retrieve data are described in
.
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
For some fields, you can specify
n/a
or
blank
in the field to identify events where information is not
available for that field; use
!n/a
or
!blank
to identify the events where that field is populated.
•
Most fields are case-insensitive.
•
IP addresses may be specified using CIDR notation. For information on entering IPv4 and IPv6
addresses in the FireSIGHT System, see
addresses in the FireSIGHT System, see
.