Events
The Events page provides the ability to search for public and private events that are deemed most relevant to incident response (for more information, see Intelligence). An event is a record of the appearance of a cyber observable at a given date and time. Events can optionally be related to indicators, providing threat intelligence context about the observable.
You access this page by choosing Intelligence > Events in the navigation menu.
The Public events are displayed by default and for all environments.
-
Click the Private tab to display the list of private events.
-
Click the Environment filter and choose All, Internal, or Global from the drop-down menu to display the events for a specific environment.
Events Table Column Descriptions
|
Column Name |
Description |
|---|---|
|
First Seen |
Date and time the event was first sighted. Click the |
|
Title |
The name and ID assigned to the event. |
|
Source |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object, and the process or device that observed the activity that is described in the sighting. |
|
Severity |
The seriousness of the threat of the observable (High or Medium). |
|
Environment |
Where the event was seen; either globally or in your internal environment. |
|
Entities |
The number of entities that were seen in the event, such as domain names, IP addresses, file hashes, PKI certificate serial numbers, and specific devices or users. |
|
Targets |
The number of devices, identities, or resources that the threat targeted. |
|
Relations |
The number of observables related to the event. |
From this page, you can perform the following tasks:
Search and Sort Events
Use the Search text box in the upper portion of the page to narrow the display of events. Click the tooltip next to the text box to view the search criteria and examples of common searches. Only stored data is searchable; data sources outside of Cisco XDR are not searchable here.
You can sort the Events table by date and time. Click the 
(Sort) icon next to the First Seen columns to sort the list by oldest or most recent date and time.
View Event Details
Click the event in the First Seen column to open the Event Details drawer and view additional information, download the event in JSON format, and delete a private event.
In the upper panel, the severity level and event title are displayed.
General
Expand the General panel and view information such as date and time the event was first seen, confidence level, source, sensor, environment, and resolution.
Description
Expand the Description panel to view information about the event, such as the sighting title, time it where it was observed, source, destination, file direction, spero disposition, file action, and a link to the event details. The information displayed in the Description panel may differ depending on the module that reported it.
Entities
Expand the Entities panel to view a list of observables that were sighted in the event.
Click the 
(Pivot Menu) icon next to the observable to open the Pivot menu and view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks.
Targets
Expand the Targets panel to view the targets that were identified in the event.
Click the (Pivot Menu) icon next to the observable to open the Pivot menu and view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks.
Relations
Expand the Relations panel to view other observables that are connected (directional relationship) to the entities in the event.
Show Event in JSON Format
Expand the JSON panel to view the event in JSON format.
View Verdicts and Tasks in Pivot Menu
Click the (Pivot Menu) icon next to the observable to open the Pivot menu and view the verdicts associated with the observable, investigate it, create a judgment, or perform additional tasks by leveraging your integrated products.
