Indication of Compromise Event actions???

keithcclark71 · ‎12-04-2023

Not being a security expert what does one do when they see IOC events within FMC? What are the actions that are normal to be taken when these events are logged to determine their validity??? I am still confused when I see events like in the attached file of how to proceed to evaluate of determine the threat level as to if I need to format this persons PC or report this event etc How do you guys take action upon these events (What is you you would actually do here???)

Thanks

balaji.bandi · ‎12-04-2023

May be find the PC / Server / Device, isolate from network and scan with antivirus or any tools you have.

it is worth to rebuild always when we see these kind of attacks bring them to network and monitor.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎12-04-2023

IOC is often just a sign the firewall is doing its job.

For example, if you have a web server in a DMZ running IIS and someone on the Internet attempts to scan it with a credential-guessing script, that can be an IOC.

Sometimes though it can be something worse - say the same server is attempting to reach a command and control server and is blocked by security intelligence. That is also an IOC.

I usually do some analysis of IOCs - what is the direction of the flow is an important thing to check (among others).

tvotna · ‎12-05-2023

Additionally, here is a some more info about IoC implementation on FTD: https://community.cisco.com/t5/network-security/ftd-ids-drop-rule-to-not-trigger-ioc/td-p/4813771. This functionality is indeed a bit confusing (or frustrating if you will).