Cisco Cisco Firepower Management Center 2000
C H A P T E R
37-1
FireSIGHT System User Guide
37
Using Host Profiles
A host profile provides a complete view of all the information the system has gathered about a single
host. You can access general host information, such as the host name and operating system, through the
profile. If you need to quickly find the MAC address for a host, for example, you can look in the host
profile.
host. You can access general host information, such as the host name and operating system, through the
profile. If you need to quickly find the MAC address for a host, for example, you can look in the host
profile.
Host attributes for that host are also listed in the profile. Host attributes are user-defined descriptions
that you can apply to a host. For example, you might assign a host attribute that indicates the building
where the host is located. From a host profile, you can view the existing host attributes applied to that
host and can modify the host attribute values. As another example, you can use the host criticality
attribute to designate the business criticality of a given host and to tailor correlation policies and alerts
based on host criticality.
that you can apply to a host. For example, you might assign a host attribute that indicates the building
where the host is located. From a host profile, you can view the existing host attributes applied to that
host and can modify the host attribute values. As another example, you can use the host criticality
attribute to designate the business criticality of a given host and to tailor correlation policies and alerts
based on host criticality.
Host profiles also provide you with information about the servers, clients, and host protocols running on
a particular host, including whether they are in compliance with a compliance white list. You can remove
servers from the servers list, and view details for those servers. You can also view connection events for
servers, log information about the session where server traffic was detected. You can also view details
and connection events for clients and delete servers, clients or host protocols from the host profile.
a particular host, including whether they are in compliance with a compliance white list. You can remove
servers from the servers list, and view details for those servers. You can also view connection events for
servers, log information about the session where server traffic was detected. You can also view details
and connection events for clients and delete servers, clients or host protocols from the host profile.
If your FireSIGHT System deployment includes a FireSIGHT license, you can view indications of
compromise (IOC) in the host profile. These indications correlate various types of data (intrusion events,
Security Intelligence, connection events, and file or malware events) associated with hosts to determine
whether a host on your monitored network is likely to be compromised by malicious means. From the
host profile, you can see an overview of a host’s IOC tags, view the events associated with IOC, mark
IOC tags resolved, and edit IOC rule states in the discovery policy.
compromise (IOC) in the host profile. These indications correlate various types of data (intrusion events,
Security Intelligence, connection events, and file or malware events) associated with hosts to determine
whether a host on your monitored network is likely to be compromised by malicious means. From the
host profile, you can see an overview of a host’s IOC tags, view the events associated with IOC, mark
IOC tags resolved, and edit IOC rule states in the discovery policy.
If your deployment includes a Protection license, you can tailor the way the system processes traffic so
it best fits the type of operating system on the host and the servers and clients the host is running. For
more information, see
it best fits the type of operating system on the host and the servers and clients the host is running. For
more information, see
You can also see user history information for a host if you have configured the system to track it. A
graphic representation of the last twenty-four hours of user activity is then available.
graphic representation of the last twenty-four hours of user activity is then available.
You can modify the list of vulnerabilities for the host from the host profile. You can use this capability
to track which vulnerabilities have been addressed for the host. You can also apply fixes for
vulnerabilities, causing all vulnerabilities addressed by the fix to be automatically marked invalid.
to track which vulnerabilities have been addressed for the host. You can also apply fixes for
vulnerabilities, causing all vulnerabilities addressed by the fix to be automatically marked invalid.
You can work with the vulnerability information generated by the Cisco system, and also use information
on vulnerabilities detected by third-party scanners, which you import onto the Defense Center using the
host input feature.
on vulnerabilities detected by third-party scanners, which you import onto the Defense Center using the
host input feature.
Optionally, you can perform an Nmap scan from the host profile, to augment the server and operating
system information in your host profile. The Nmap scanner actively probes the host to obtain
information about the operating system and servers running on the host. The results of the scan are added
to the list of operating system and server identities for the host.
system information in your host profile. The Nmap scanner actively probes the host to obtain
information about the operating system and servers running on the host. The results of the scan are added
to the list of operating system and server identities for the host.