Suggested Investigations
-
Confirm that your system is blocking threats that the system has identified:
On the Threats > Threat Summary page, filter for threats not blocked, regardless of direction.
On the Threats > Intrusion Events page, filter for Impact 1 threats not blocked.
-
Look for compromised internal hosts:
Attacks initiated by internal hosts always indicate compromise.
-
On the Threats > Intrusion Events page, filter for Impact 3 threats whether or not they were blocked, then click the relevant internal hosts option in the pie chart below the timeline. Investigate the internal IP addresses in the table at the bottom of the page.
-
Then do the same for Impact 2 events.
-
On the Threats > Threat Summary page, filter for Direction originating with internal hosts, whether blocked or not, and investigate internal hosts involved, regardless of whether or not the threats were blocked.
-
-
Identify hosts affected by malware that entered your network before it was known to be a threat:
Identify affected hosts using the retrospective malware events graph on the Threats > Threat Summary page.
-
Look for anomalies on your network, such as unapproved applications or nonstandard ports in use:
-
Check the graphs on the Network page.
-
Look for activity on uncommon ports, as highlighted on the "Top Server Applications In Use with Least Seen TCP Ports" graph on the Network page.
-
-
Review the data for for outliers – activity or parameters that are unexpectedly frequently or infrequently seen.
-
Investigate any unexpected hosts on your network:
Level 0 intrusion events without associated host discovery on the network could indicate the presence of a ghost network.
(Level 0 intrusion events also could indicate that your network discovery policy is not properly implemented.)
-
Look for spikes or trends in high-priority attacks over time or against key hosts (for example, servers):
These are easiest to see in the timeline graphs on each page under the Threats menu.
Select various time ranges to see what stands out.
-
Eliminate large chunks of insignificant data so the important data stands out.
-
Look carefully at unique events, which may indicate highly targeted attacks.
-
Drill down on interesting items.
As you find patterns, hosts, users, applications, ports, etc. that raise flags, drill down and filter to see what other transactions involve the relevant entities. Also right-click items to see if additional information is available.
-
As you explore, look for any other behavior that could be suspicious. For example:
-
A single URLis unexpectedly associated with multiple IP addresses and MAC addresses over time.
-
A host has unexpectedly connected to 30 different endpoints in the past hour using SSH.
-
-
Look for events and data associated with a particular IP address:
Use the Threats > Context Explorer page.
Note
If your filter includes many IP addresses, the app may become very slow, depending on how you have your data set up.
-
See also Intrusion Event Impact Levels.
Widget descriptions:
Most of the widgets in this app are the same as their equivalents in the Firepower Management Center. For information about these widgets, see the Firepower Management Center Configuration Guide for your version at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.