https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3958175#M17956 Thanks Sheraz,<BR />I don't necessarily think the URL is malicious, but Talos thinks it is which causes a lot of IOC's every day for hosts on our network. I just blacklisted the URL(s) and the IOC's went away. Nobody has complained yet. That's probably going to be how I resolve this in the future. Blacklist and be done with it.<BR />Thanks! Wed, 13 Nov 2019 18:51:31 GMT -Sparrow- 2019-11-13T18:51:31Z https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3955105#M17924 <P>Hello,&nbsp;</P><P>I've noticed an increase in IOC's being triggered due to hosts attempting to access&nbsp;<A href="https://gogo.thepowerrangers.com" target="_blank" rel="noopener">hxxps://gogo.thepowerrangers.com</A>.</P><P>End users are obviously not trying to get to a power rangers site.&nbsp; It seems to be a URL redirect.&nbsp; Has anyone else found their FirePower SI blocking this site? It's happening multiple times a day and I'm unsure what's triggering this. Google is not my friend here.&nbsp;</P><P>&nbsp;</P><P>I had the same issue a few weeks ago with&nbsp;<A href="https://mv-s2s-dev.ngrok.io.&nbsp;" target="_blank" rel="noopener">hxxps://mv-s2s-dev.ngrok.io.&nbsp;</A> That URL has subsided for the time being.</P><P>&nbsp;</P><P>Thank you</P> Thu, 07 Nov 2019 20:42:01 GMT https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3955105#M17924 -Sparrow- 2019-11-07T20:42:01Z https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3956193#M17947 <P>To check the URL health go to <A href="https://www.brightcloud.com/tools/url-ip-lookup.php" target="_blank">https://www.brightcloud.com/tools/url-ip-lookup.php</A> check firepower url engine use the statistics from this engine.</P><P>now coming back to your point. if you think this url is malicious and you need to block the rule <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Rules__URL_Filtering.html" target="_self">here</A>&nbsp;</P> Sat, 09 Nov 2019 21:44:09 GMT https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3956193#M17947 Sheraz.Salim 2019-11-09T21:44:09Z https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3958175#M17956 Thanks Sheraz,<BR />I don't necessarily think the URL is malicious, but Talos thinks it is which causes a lot of IOC's every day for hosts on our network. I just blacklisted the URL(s) and the IOC's went away. Nobody has complained yet. That's probably going to be how I resolve this in the future. Blacklist and be done with it.<BR />Thanks! Wed, 13 Nov 2019 18:51:31 GMT https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3958175#M17956 -Sparrow- 2019-11-13T18:51:31Z https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3958193#M17968 <P>Yes, you can always utilize the white/blacklist in such situations. Also, just to mention, you can always submit a dispute directly to TALOS through the following link:</P> <P><A href="https://talosintelligence.com/reputation_center/support" target="_blank">https://talosintelligence.com/reputation_center/support</A></P> <P><EM>Thank you for rating helpful posts!</EM></P> Wed, 13 Nov 2019 19:14:06 GMT https://community.cisco.com/t5/network-security/firepower-security-intelligence-question/m-p/3958193#M17968 nspasov 2019-11-13T19:14:06Z