Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4518
Views
5
Helpful
4
Replies

IOC_STATE_RECORD

VyasrvenkatRavi37442
Level 1
Level 1

‎01-08-2020 09:22 PM - edited ‎02-21-2020 09:49 AM

Hi All,

 

I have observed a internal to internal machine traffic and observed the event IOC_STATE_RECORD on my SIEM console.

 

This event flagged by the cisco firepower center (FMC), checked the traffic logs between the these two internal machines. Observed only IOC_STATE_RECORD related events and no firewall logs were found. Please let me know what is IOC_STATE_RECORD ? Is it something, do I need to pay attention for these kind of events. ? 

 

1 person had this problem
0 Helpful
4 Replies 4

luizsil
Cisco Employee
Cisco Employee

‎01-09-2020 03:24 AM

Hello,

 

IOC States for Indication of Compromise.


Here is the Event Information:

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/api/eStreamer/EventStreamerIntegrationGuide/RNA-Records.html?bookSearch=true#pgfId-6177494

 

To better have a translation of what an IOC_ID stands for you can grab them all at:

 

Go to FMC CLI and in expert mode raise your self to root and type the following command:

OmniQuery.pl -db mdb -e "select ioc_id,category,event_type,description from ioc\G;"


So you need to have the IOC_ID and find out what Compromise that is being detected, and if it is a false positive or not.

You can definitely after this program your SIEM to translate these events from IOC_ID to an actual text.

 

In some SIEMs the IOC_ID may be called another property of the event. example: iocState.value=11

 

Best Regards,

Luiz Silva

 

Best Regards,

Luiz

0 Helpful

VyasrvenkatRavi37442
Level 1
Level 1
In response to luizsil

‎01-12-2020 05:02 AM

Thank you for your reply.

Yes I have found iocState.value=11 on my payload. I have searched the value
of 11 from the link which you have provided.

its says New TCP Server for the value 11.

Please correct me am I referring to the correct content.

0 Helpful

luizsil
Cisco Employee
Cisco Employee
In response to VyasrvenkatRavi37442

‎01-13-2020 12:19 AM

From the Table I extracted on FMC, ioc_id 11 =

  • Impact 2 Attack — Impact 2 Intrusion Event - attempted-user

 

 

For more details on the event, you can search for Intrusion Events on your FMC and search for the time frame indicated.

 

Best Regards,

Luiz Silva

MSS_PROOF
Level 1
Level 1
In response to luizsil

‎07-21-2021 09:57 AM

Can you provide us with official documentation for this issue?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card