IOC_STATE_RECORD

VyasrvenkatRavi37442 · ‎01-08-2020

Hi All,

I have observed a internal to internal machine traffic and observed the event IOC_STATE_RECORD on my SIEM console.

This event flagged by the cisco firepower center (FMC), checked the traffic logs between the these two internal machines. Observed only IOC_STATE_RECORD related events and no firewall logs were found. Please let me know what is IOC_STATE_RECORD ? Is it something, do I need to pay attention for these kind of events. ?

luizsil · ‎01-09-2020

Hello,

IOC States for Indication of Compromise.

Here is the Event Information:

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/api/eStreamer/EventStreamerIntegrationGuide/RNA-Records.html?bookSearch=true#pgfId-6177494

To better have a translation of what an IOC_ID stands for you can grab them all at:

Go to FMC CLI and in expert mode raise your self to root and type the following command:

OmniQuery.pl -db mdb -e "select ioc_id,category,event_type,description from ioc\G;"

So you need to have the IOC_ID and find out what Compromise that is being detected, and if it is a false positive or not.

You can definitely after this program your SIEM to translate these events from IOC_ID to an actual text.

In some SIEMs the IOC_ID may be called another property of the event. example: iocState.value=11

Best Regards,

Luiz Silva

Best Regards,

Luiz

VyasrvenkatRavi37442 · ‎01-12-2020

Thank you for your reply.

Yes I have found iocState.value=11 on my payload. I have searched the value
of 11 from the link which you have provided.

its says New TCP Server for the value 11.

Please correct me am I referring to the correct content.

luizsil · ‎01-13-2020

From the Table I extracted on FMC, ioc_id 11 =

Impact 2 Attack — Impact 2 Intrusion Event - attempted-user

For more details on the event, you can search for Intrusion Events on your FMC and search for the time frame indicated.

Best Regards,

Luiz Silva

MSS_PROOF · ‎07-21-2021

Can you provide us with official documentation for this issue?