Cisco Cisco FirePOWER Appliance 8360
27-2
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Understanding Compliance White Lists
Because the system creates a host attribute for each host that indicates whether it is in compliance with
any white lists you create, you can obtain an at-a-glance summary of the compliance of your network.
In just a few seconds, you can determine exactly which hosts in your organization are running HTTP in
violation of your policy, and take appropriate action.
any white lists you create, you can obtain an at-a-glance summary of the compliance of your network.
In just a few seconds, you can determine exactly which hosts in your organization are running HTTP in
violation of your policy, and take appropriate action.
Then, using the correlation feature, you can configure the system to alert you whenever a host that is not
in your web farm starts running HTTP.
in your web farm starts running HTTP.
In addition, the system allows you to use host profiles to determine whether an individual host is
violating any of the white lists you have configured, and in which way it is violating the white list. The
FireSIGHT System also includes workflows that allow you to view each of the individual white list
violations, as well as the number of violations per host.
violating any of the white lists you have configured, and in which way it is violating the white list. The
FireSIGHT System also includes workflows that allow you to view each of the individual white list
violations, as well as the number of violations per host.
Finally, you can use the dashboard to monitor recent system-wide compliance activity, including white
list events and summary views of the overall white list compliance of your network.
list events and summary views of the overall white list compliance of your network.
For more information on creating and managing compliance white lists and on interpreting white list
events and violations, see the following sections:
events and violations, see the following sections:
•
•
•
•
•
•
In addition, see the following chapters and sections for more information:
•
explains how to create and configure correlation policies
that include compliance white lists, and explains how to assign responses and priorities to the white
lists.
lists.
•
explains how to use a host’s profile to determine whether it is
violating any white lists.
•
explains how to obtain an at-a-glance view of your current system
status, including white list compliance activity.
Understanding Compliance White Lists
License:
FireSIGHT
A compliance white list is a set of criteria that specify the operating systems, clients, application
protocols, web applications, and protocols that are allowed to run on your network. You can create
custom white lists that meet your specific needs, or you can use the default white list created by the VRT
that contains recommended settings.
protocols, web applications, and protocols that are allowed to run on your network. You can create
custom white lists that meet your specific needs, or you can use the default white list created by the VRT
that contains recommended settings.
Custom white list criteria can be simple; you can specify that only hosts running a certain operating
system are allowed. Your criteria can also be complex; you can specify that while all operating systems
are allowed, only hosts running a certain operating system are allowed to run a certain application
protocol on a specific port.
system are allowed. Your criteria can also be complex; you can specify that while all operating systems
are allowed, only hosts running a certain operating system are allowed to run a certain application
protocol on a specific port.
White lists comprise two main parts: targets and host profiles. The targets are the specific hosts that are
evaluated by the white list, while the host profiles specify the operating systems, clients, application
protocols, web applications, and protocols that are allowed to run on the targets.
evaluated by the white list, while the host profiles specify the operating systems, clients, application
protocols, web applications, and protocols that are allowed to run on the targets.