12-05-2017 04:18 AM - edited 03-10-2019 01:17 PM
Hello,
On one of my host I see 3 threats
1. Category=CnC Connected, Event Type=Intrusion Event - malware-cnc and Description= The host may be under remote control.
2. Category=Impact 2 Attack, Event Type= Impact 2 Intrusion Event - attempted-admin and Description= The host was attacked and is potentially vulnerable.
3. Category=Impact 2 Attack, Event Type= Impact 2 Intrusion Event - attempted-user and Description= The host was attacked and is potentially vulnerable.
My question: How can i know if this is a real attack or if the threat has been blocked.
04-25-2018 02:33 AM
04-25-2018 06:44 AM
Look at Connections and/or Intrusion Event Tables and filter on that host IP address. Then look at whether the connection was allowed or blocked.
02-21-2019 09:34 AM
I know this thread has some age, but I'm curious about your recommendation to "look at whether the connection was allowed or blocked." I'm still relatively new with the FMC, but I can easily look at connections and intrusion events using the host IP; however, that's going to give me a huge list of connections, with many allowed and many blocked. How can I relate any of those back to the logged intrusion event?
If it's reporting communication to a CnC, why doesn't it show the IP that triggered it?
I have to assume that if the device knows the target IP is a CnC server, that it would certainly block traffic to that host, but I've yet to find definitive evidence of that and feel like I need the IP in order to follow your recommendation.
02-21-2019 09:39 AM
A blocked connection to a CnC server should normally show up under Security Intelligence events. It should be relatively easy to filter down that table to show only the host that was reported in the Intrusion event.
If a given host has many different Blocked connections, it should be visited in person and remediated rather than try to ascertain everything remotely from FMC.
04-25-2018 11:36 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide