Cisco Cisco FirePOWER Appliance 8250
38-30
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Indications of Compromise
Tip
To search the database for a different kind of event, select it from the
Table
drop-down list.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, the Defense Center automatically creates one when you save the search.
Step 4
Enter your search criteria in the appropriate fields, as described in
. If you enter multiple criteria, the Defense Center returns only the records that match
all the criteria. Click the add icon (
) that appears next to a search field to use an object as a search
criterion.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search so that only you can use it.
Tip
If you want to save a search as a restriction for custom user roles with restricted privileges, you must
save it as a private search.
save it as a private search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in the default host attributes workflow. To use a different workflow,
including a custom workflow, click
including a custom workflow, click
(switch workflow)
. For information on specifying a different
default workflow, see
.
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
), so that you can run it at a later time.
Working with Indications of Compromise
License:
FireSIGHT
The FireSIGHT System correlates various types of data (intrusion events, Security Intelligence,
connection events, and file or malware events) associated with hosts to determine whether a host on your
monitored network is likely to be compromised by malicious means. Certain combinations and
frequencies of event data trigger indications of compromise (IOC) tags on affected hosts. IOC-tagged
host IP addresses appear in event views with a special compromised host icon (
connection events, and file or malware events) associated with hosts to determine whether a host on your
monitored network is likely to be compromised by malicious means. Certain combinations and
frequencies of event data trigger indications of compromise (IOC) tags on affected hosts. IOC-tagged
host IP addresses appear in event views with a special compromised host icon (
); you also can write
compliance rules that account for IOC-tagged hosts.
To use this feature, you must have IOC rules enabled in your network discovery policy. You can enable
any or all of the predefined rules to trigger IOC tags on compromised hosts. For more information, see
any or all of the predefined rules to trigger IOC tags on compromised hosts. For more information, see
.
See the following sections for detailed information about indications of compromise:
•
•
•