Indications of Compromise Events

The host's Indications of Compromise (IoC) events for encrypted visibility engine detection allows you to check connection events with a very high malware confidence level, as reported by EVE. IoC events are triggered for encrypted sessions generated from a host using a malicious client. You can view information, such as IP address, MAC address, and OS information of the malicious host, and the timestamp of the suspicious activity.

A session with Encrypted Visibility Threat Confidence score 'Very High' as seen in connection events genreates an IoC event. You must enable Hosts from Policies > Network Discovery. In the management center, you can view the IoC event existence from:

• Analysis > Indications of Compromise.

• Analysis > Network Map > Indications of Compromise > Choose the host that must be checked.

  You can view the process information of the session that generated the IoC on the Connection Events page. Click Analysis > Connections Header > Events to access the Connection Events page. Note that you must manually select the Encrypted Visibility fields and IoC field from the Table View of Connection Events tab.