Solved: Suspected false positives in FMC

AFlack20 · ‎02-12-2021

This morning when I logged into our FMC I had several new IOC's on my context explorer, all of which were related to CnC connection attempts. After getting into the analysis and using the talos lookup tool on the IP address associated with these events, they're all looking fairly benign. Most were to IP's that according to talos belong to amazon cloud-front with a neutral reputation the remaining were cloudflare connections with same neutral reputation.

The IP's are as follows: 54.230.125.230 54.230.125.6 99.84.199.157 54.230.125.123 99.84.199.145 54.230.125.68 172.67.190.148

Assuming that these IP's aren't malicious CnC servers, as indicated by talos tool, why are they showing up as that in my FMC? I can see that these events are showing up under the security intelligence category of URL CnC. I don't know where the URL CnC is drawing from to determine what is "Bad" and to blacklist, but I would assume it would be talos? Lastly how would I edit this policy? If I go into Policies -> Access Control -> My Policy -> Security Intelligence, and under Blacklist is URL CnC, but I don't see any means in which to edit URL CnC there?

I would be appreciative if the Cisco team could advise as to what the best practice would be for adjusting the URL CnC blacklist, and whether I should just whitelist the IP addresses that were indicated above.

Thanks!

Marius Gunnerud · ‎02-15-2021

Security intelligence is included in the Threat license. It is not a bug, but more likely that the Talos automated systems do not yet have enough information on the sites to provide a different reputation. As mentioned above, the only way to allow this traffic immediately is to whitelist it. Otherwise you will need to wait for the Talos system to reassess the webiste reputation.s

--
Please remember to select a correct answer and rate helpful posts

View solution in original post