Cisco Cisco FirePOWER Appliance 8390
36-5
FireSIGHT System User Guide
Chapter 36 Using the Network Map
Working with the Mobile Devices Network Map
The system uses data from multiple sources to determine a host’s compromised status, including
intrusion events, Security Intelligence, and FireAMP.
intrusion events, Security Intelligence, and FireAMP.
From the indications of compromise network map, you can view the host profile of each host determined
to have been compromised in a specific way. You can also delete (mark as resolved) any IOC category
or any specific host, which removes the IOC tag from the relevant hosts. For example, you can delete an
IOC category from the network map if you have determined that the issue is addressed and unlikely to
recur.
to have been compromised in a specific way. You can also delete (mark as resolved) any IOC category
or any specific host, which removes the IOC tag from the relevant hosts. For example, you can delete an
IOC category from the network map if you have determined that the issue is addressed and unlikely to
recur.
Marking a host or IOC category resolved from the network map does not remove it from your network.
A resolved host or IOC category reappears in the network map if your system newly detects information
that triggers that IOC.
A resolved host or IOC category reappears in the network map if your system newly detects information
that triggers that IOC.
To view the indications of compromise network map:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Hosts > Network Map > Indications of Compromise
.
The indications of compromise network map appears.
Step 2
Click the specific IOC category you want to investigate.
For example, if you want to view hosts on which malware was detected, click
Malware Detected
.
To filter by IP or MAC addresses, type an address in the search field. To clear the search, click the clear
icon (
icon (
).
Step 3
Drill down to a specific IP address under the IOC category you selected. Each address or partial address
is a link to the next level.
is a link to the next level.
The host profile of the compromised host appears with the indications of compromise section expanded.
For more information about the IOC section of the host profile, see
For more information about the IOC section of the host profile, see
.
Step 4
Optionally, to mark any IOC category, compromised host, or group of compromised hosts resolved, click
the delete icon (
the delete icon (
) next to the element you want to resolve, then confirm that you want to resolve it.
The category or host is resolved (IOC tags removed). If the IOC is triggered again, it is re-added to the
network map.
network map.
Working with the Mobile Devices Network Map
License:
FireSIGHT
Use the mobile devices network map to view mobile devices attached to your network, and to drill down
to the host profiles for those devices. This network map view also provides a count of all unique mobile
devices detected by the system, regardless of whether the devices have one IP address or multiple IP
addresses.
to the host profiles for those devices. This network map view also provides a count of all unique mobile
devices detected by the system, regardless of whether the devices have one IP address or multiple IP
addresses.
The methods the system uses to distinguish mobile devices include:
•
analysis of user agent strings in HTTP traffic from the mobile device’s mobile browser
•
monitoring of HTTP traffic of specific mobile applications
If you create a custom topology for your network, the labels you assign to your subnets appear in the
mobile devices network map.
mobile devices network map.