Cisco Cisco FirePOWER Appliance 8360
35-21
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Indications of Compromise
.
•
Adobe Reader Compromise — Adobe Reader launched shell
•
Adobe Reader Compromise — PDF Compromise Detected by FireAMP
•
CnC Connected — Suspected Botnet Detected by FireAMP
•
Dropper Infection — Dropper Infection Detected by FireAMP
•
Excel Compromise — Excel Compromise Detected by FireAMP
•
Excel Compromise — Excel launched shell
•
Java Compromise — Java Compromise Detected by FireAMP
•
Java Compromise — Java launched shell
•
Malware Detected — Threat Detected by FireAMP - Not Executed
•
Malware Detected — Threat Detected in File Transfer
•
Malware Executed — Threat Detected by FireAMP - Executed
•
PowerPoint Compromise — PowerPoint Compromise Detected by FireAMP
•
PowerPoint Compromise — PowerPoint launched shell
•
QuickTime Compromise — QuickTime Compromise Detected by FireAMP
•
QuickTime Compromise — QuickTime launched shell
•
Word Compromise — Word Compromise Detected by FireAMP
•
Word Compromise — Word launched shell
Intrusion Event IOC Types
License:
FireSIGHT+Protection
The following IOC types are associated with intrusion events, which require a Protection license. For
more information on viewing intrusion events and configuring intrusion detection and protection, see
more information on viewing intrusion events and configuring intrusion detection and protection, see
and
.
•
CnC Connected — Intrusion Event - malware-backdoor
•
CnC Connected — Intrusion Event - malware-cnc
•
Exploit Kit — Intrusion Event - exploit-kit
•
Impact 1 Attack — Impact 1 Intrusion Event - attempted-admin
•
Impact 1 Attack — Impact 1 Intrusion Event - attempted-user
•
Impact 1 Attack — Impact 1 Intrusion Event - successful-admin
•
Impact 1 Attack — Impact 1 Intrusion Event - successful-user
•
Impact 1 Attack — Impact 1 Intrusion Event - web-application-attack
•
Impact 2 Attack — Impact 2 Intrusion Event - attempted-admin
•
Impact 2 Attack — Impact 2 Intrusion Event - attempted-user
•
Impact 2 Attack — Impact 2 Intrusion Event - successful-admin
•
Impact 2 Attack — Impact 2 Intrusion Event - successful-user
•
Impact 2 Attack — Impact 2 Intrusion Event - web-application-attack