Enabling Indications of Compromise Rules

For your system to detect and tag indications of compromise (IOC), you must first activate at least one IOC rule in your network discovery policy. Each IOC rule corresponds to one type of IOC tag, and all IOC rules are predefined by Cisco; you cannot create original rules. You can enable any or all rules, depending on the needs of your network and organization. For example, if hosts using software such as Microsoft Excel never appear on your monitored network, you may decide not to enable the IOC tags that pertain to Excel-based threats.

Before you begin

Because IOC rules trigger based on data provided by other components of the system and by AMP for Endpoints, those components must be correctly licensed and configured for IOC rules to set IOC tags. Enable the system features associated with the IOC rules you will enable, such as intrusion detection and prevention (IPS) and Advanced Malware Protection (AMP). If an IOC rule’s associated feature is not enabled, no relevant data is collected and the rule cannot trigger.

Procedure

Step 1

Choose Policies > Network Discovery.

Step 2

Click Advanced.

Step 3

Click Edit (edit icon) next to Indications of Compromise Settings.

Step 4

To toggle the entire IOC feature off or on, click the slider next to Enable IOC.

Step 5

To globally enable or disable individual IOC rules, click the slider in the rule’s Enabled column.

Step 6

Click Save to save your IOC rule settings.

What to do next

  • Deploy configuration changes.