03-13-2017 06:52 AM - edited 02-21-2020 06:02 AM
I frequently see devices listed in "Indications of Compromise by Host"
When i drill down to see what the issue is, it's usually "The host may connect to a phishing URL" or "Malware Site"
When i drill down further to the events that triggered the IOC, the Action and reason is always "Block" or "URL Block" or "File Block"
this confuses me. was the computer compromised, or was the event blocked?
and if the event was blocked, why did it trigger IOC?
do i need to reconfigure something?
Thanks for your help.
Lee
Solved! Go to Solution.
03-13-2017 08:14 AM
Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.) The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.
So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.
No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.
There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.
03-13-2017 08:14 AM
Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.) The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.
So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.
No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.
There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.
03-14-2017 07:07 AM
That was an excellent explanation.
Thank you.
04-04-2020 04:28 AM
@Marvin Rhoads wrote:Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.) The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.
So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.
No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.
There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.
Is there any way to find the URL that caused the flag when this happens?
04-04-2020 07:27 AM
kguillory@nocp.org look under:
Analysis > Security Intelligence Events > Table View of Events. Filter on the IP address of the endpoint in question.
04-04-2020 07:38 AM
Thanks for your prompt response. Stay safe.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide