Indications of Compromise
The system uses IOC rules in the network discovery policy to identify a host as likely to be compromised by malicious means. When a host meets the conditions specified in these system-provided rules, the system tags it with an indication of compromise (IOC). The related rules are known as IOC rules. Each IOC rule corresponds to one type of IOC tag. The IOC tags specify the nature of the likely compromise.
The management center can tag the host and user involved when one of the following things occurs:
-
The system correlates data gathered about your monitored network and its traffic, using intrusion, connection, Security Intelligence, and file or malware events, and determines that a potential IOC has occurred.
-
The management center can import IOC data from your AMP for Endpoints deployments via the AMP cloud. Because this data examines activity on a host itself—such as actions taken by or on individual programs—it can provide insights into possible threats that network-only data cannot. For your convenience, the management center automatically obtains any new IOC tags that Cisco develops from the AMP cloud.
To configure this feature, see Enabling Indications of Compromise Rules.
You can also write correlation rules against host IOC data and compliance allow lists that account for IOC-tagged hosts.
To investigate and work with tagged IOCs, see Indications of Compromise Data and its subtopics in Cisco Secure Firewall Management Center Administration Guide.