02-23-2017 08:38 PM - edited 02-20-2020 09:03 PM
03-03-2017 05:45 AM
Hi Evgeniy,
I will try to answer first part of your questions.
The Indications Of Compromise are a correlation of data which collect information in simple if..else template, that may indicate a compromised client. That means infected with some known or unknown malware.
This IOC is based on openioc.com framework. Either you or Cisco can build up some usefull IOC templates to be ready to deploy in the system through AMP scan on a daily basis.
David
03-03-2017 06:07 AM
What you want to achive is to have a catalogue. This is build up on full scan. Based of artifacts, where is taken from locations such as registry, system32 and memory.
Also an important note, this is resource intensive, endpoint with a large files will take hours/days to finish.
The added value from this results in events, which you can take an action of. If we talk about unknown malware, you are interested which workstations have such symptoms/files/behaviour.
To download Sample Cisco Endpoint IOC documents please open a support ticket.
I hope this answers your questions.
David
03-03-2017 07:35 AM
Evgeniy - In addition to djanulik's reply, if you have the demo data turned on in your console, the CozyDuke and PlugX stories give you some hands on training for IOCs. Both end with you loading a pre-built IOC into AMP. Cisco has published some sample IOCs here: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf
If you want to build your own IOCs, there are many tools on the web to assist with this. Personally, I like this one: https://www.iocbucket.com/openioceditor, because it's fully web based, and I found the user interface to be very intuitive.
Back to your original question, to my knowledge, if an IOC is matched, AMP does not take action other than to raise an alert. As djanulik pointed out, and IOC is essentially nothing more than a search criteria that you can instruct AMP to alert you on when the criteria is matched. Now, if AMP determines that files that are associated with an IOC are otherwise malicious (using the ETHOS or SPERO engines), it will take the configured action against those files. If you take a look at the demo story for Demo_Command_Line_Arguments_Meterperter, while reviewing the Device Trajectory you'll see where they used CLI analysis to determine an IOC event had occurred on the endpoint. You'll also see that AMP only alerted on the IOC at the time that it occurred.
Hope this helps!
09-17-2018 01:32 AM
Hi Guys,
Thanks for the explanation . I had a quick query on this.
I made a IOC using Mandiant software which had couple of MD5 hashes. the query i had is do we need to scan the systems regularly to get the system who has those MD5 or can i get those alert as they are seen.
I do not want to run endpoint scan for IOCs. Just want to get alerted as soon as we see those hashes in the enviroment.
Regards
Vaibhav
09-17-2018 04:50 AM
Currently, any uploaded IOC would require a scan be run on the endpoint for the IOC to be triggered.
However, since you are only matching on specific MD5s you could potentially convert the IOC to match using an Advanced Custom Detection. The only caveat is that you would need to create this ACD logic yourself to ensure the correct results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide