Cisco Cisco Firepower Management Center 2000
38-31
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Indications of Compromise
Viewing Indications of Compromise
License:
FireSIGHT
You can use the Defense Center to view a table of triggered Indications of Compromise (IOC). Then,
you can manipulate the event view depending on the information you are looking for.
you can manipulate the event view depending on the information you are looking for.
The page you see when you access IOC depends on the workflow you use. Both predefined IOC
workflows terminate in a host view, which contains a host profile for every host that meets your
constraints. You can also create a custom workflow that displays only the information that matches your
specific needs. For more information, see
workflows terminate in a host view, which contains a host profile for every host that meets your
constraints. You can also create a custom workflow that displays only the information that matches your
specific needs. For more information, see
.
The following table describes some of the specific actions you can perform on an IOC workflow page.
You can also perform the tasks described in the
You can also perform the tasks described in the
table.
To view indications of compromise:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Hosts > Indications of Compromise
.
The first page of the default indications of compromise (IOC) workflow appears. To use a different
workflow, including a custom workflow, click
workflow, including a custom workflow, click
(switch workflow)
. For information on specifying a
different default workflow, see
Tip
If you are using a custom workflow that does not include the IOC table view, click
(switch workflow)
, then
select
Indications of Compromise
.
Understanding the Indications of Compromise Table
License:
FireSIGHT
The FireSIGHT System correlates various types of event data associated with hosts to determine whether
a host on your monitored network is likely to be compromised by malicious means. These correlations
appear, associated with the host, as indications of compromise (IOC). You can mark a host IOC as
resolved, which removes that IOC tag from the host. A host can trigger multiple IOC tags; you can view
a host on your monitored network is likely to be compromised by malicious means. These correlations
appear, associated with the host, as indications of compromise (IOC). You can mark a host IOC as
resolved, which removes that IOC tag from the host. A host can trigger multiple IOC tags; you can view
Table 38-7
Indication of Compromise Actions
To...
You can...
learn more about the contents of the
columns in the table
columns in the table
find more information in
view the host profile for a compromised
host
host
click the compromised host icon (
) in the
IP Address
column.
mark selected IOC events resolved so
they no longer appear in the list
they no longer appear in the list
select the check boxes next to the IOC events you want to
edit, then click
edit, then click
Mark Resolved
. For more information, see
.
view details of events that triggered the
IOC
IOC
click the view icon (
) in the
First Seen
or
Last Seen
columns.