This morning when I logged into our FMC I had several new IOC's on my context explorer, all of which were related to CnC connection attempts. After getting into the analysis and using the talos lookup tool on the IP address associated with these events, they're all looking fairly benign. Most were to IP's that according to talos belong to amazon cloud-front with a neutral reputation the remaining were cloudflare connections with same neutral reputation.
The IP's are as follows: 54.230.125.230 54.230.125.6 99.84.199.157 54.230.125.123 99.84.199.145 54.230.125.68 172.67.190.148
Assuming that these IP's aren't malicious CnC servers, as indicated by talos tool, why are they showing up as that in my FMC? I can see that these events are showing up under the security intelligence category of URL CnC. I don't know where the URL CnC is drawing from to determine what is "Bad" and to blacklist, but I would assume it would be talos? Lastly how would I edit this policy? If I go into Policies -> Access Control -> My Policy -> Security Intelligence, and under Blacklist is URL CnC, but I don't see any means in which to edit URL CnC there?
I would be appreciative if the Cisco team could advise as to what the best practice would be for adjusting the URL CnC blacklist, and whether I should just whitelist the IP addresses that were indicated above.
Thanks!