Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5035
Views
0
Helpful
5
Replies

Hosts - Indications of compromise

Lee Dress
Level 1
Level 1

‎01-11-2017 08:31 AM - edited ‎03-12-2019 06:15 AM

My firepower reports that there are indications of compromise on a few computers every day.

when i drill into the analysis, the malware event was blocked (with reset) with my policy.  So the devices have not really been compromised.

is there some way to setup the policy that it doesn't tell me these devices have been compromised?

I spend quite a bit of time clearing this out now because they are jut "hits" to a malware site, and not an actual connection or file download.

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-11-2017 08:50 AM

What are the event types that are being detected? You can enable and disable specific IOC detection rules under Policy > Network Discovery > Advanced > Edit IOC settings

For example you can disable the rule to detect hosts flagged by malware-cnc event as IOC host. also, there does not seem to be a way to edit or add new rules for IOC detection.

0 Helpful

Lee Dress
Level 1
Level 1
In response to Rahul Govindan

‎01-11-2017 08:58 AM

I am getting CNC connected, but the connection is blocked when i drill into the analysis

I'm also getting URL Malware which is also blocked.

so you're saying it's safe to turn these off in IOC, and the rule will still protect the devices?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Lee Dress

‎01-11-2017 09:14 AM

Your file or URL is blocked by the URL filtering or AMP engine policy. IOC detection just uses data from these engines to detect an IOC. The block action should be taken by the individual Engines themselves.

0 Helpful

Chekol Retta
Level 1
Level 1
In response to Lee Dress

‎07-18-2017 12:47 PM

Hi Lee

I got a few CnC connected but couldn't see the action taken against them

Where do you see the CnC connected is blocked after drilling into analysis? 

0 Helpful

mjkvern@lrhc.org
Level 1
Level 1
In response to Chekol Retta

‎03-15-2019 11:59 AM

I am also seeing CnC Connected. Under Analysis>Hosts>Indications of Compromise  We have several listed here including my own ip address. I try to drill down what I have installed or the issue is that these are reporting as an indication, but i cant seem to find any information. 

 

Does anyone have any insight as to how to read these in order to correct the issue? Description only says "This host may be under remote control" with no other information. I want to know How? and how to fix it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card