Indicators
The Indicators page provides the ability to search for stored public and private threat intelligence indicators that are deemed most relevant to incident response (for more information, see Intelligence).
An indicator describes a pattern of behavior or a set of conditions which indicate malicious behavior. Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable (such as a domain or an IP address) is exhibiting can help an incident responder decide what to do next.
You access this page by choosing Intelligence > Indicators in the navigation menu.
The Public indicators are displayed by default. Click the Private tab to display the list of private indicators.
Indicators Table Column Descriptions
|
Column Name |
Description |
|---|---|
|
Title |
Describes the full pattern of behavior or a set of conditions which indicate malicious behavior. A Short Description may also be displayed, if available. Click the Click the indicator Name to open the Indicator Details drawer and view additional information. |
|
Modified |
Date and time the data was last updated. Click the |
|
Producer |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object. |
|
Source |
The source that reported the indicator to the Cisco XDR module. |
|
Confidence |
The confidence level of the system that produced the data of its accuracy. |
|
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white). |
From the Indicators page, you can perform the following tasks:
Search and Sort Indicators
Use the Search text box in the upper portion of the page to narrow the display of indicators. Click the tooltip next to the text box to view the search criteria and examples of common searches. Only stored data is searchable; data sources outside of Cisco XDR are not searchable.
You can sort the Indicators table alphabetically or by date and time. Click the 
(Sort) icon next to the Title or Modified columns to sort the list:
- Title - Sort in alphabetical ascending or descending order.
- Modified - Sort by oldest or most recent date and time.
Create Private Indicator
When you have the Private indicators displayed on the Indicators page, you can create a private indicator.
Click Create Indicator, complete the information on the form in the Create Indicator drawer, and then click Save.
For more information, see the Create Private Indicator help topic.
View Indicator Details
Click the indicator title to open the Indicator Details drawer and view additional information, download the indicator in JSON format, edit or delete a private indicator, and view the full indicator.
General
Expand the General panel in the Indicator Details drawer and view the following information:
|
Modified |
Date and time the data was last updated. |
|
Producer |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object. |
|
Source |
The Cisco XDR module where the indicator was produced. |
|
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white). |
Tags
Expand the Tags panel in the Indicator Details drawer to view the descriptor tags for the indicator.
Show Indicator in JSON Format
Expand the JSON panel in the Indicator Details drawer to view the indicator in JSON format.
Edit or Delete Indicator
If you have private indicators displayed, you have the ability to edit or delete an indicator in the Indicator Details drawer.
-
To edit the indicator, click the indicator Title to open the drawer and then click Edit. For more information, see the Edit Private Indicator help topic.
-
To delete an indicator, click the indicator Title to open the drawer and then click Delete. For more information, see the Delete Private Indicator help topic.
View Full Indicator
To view all the information associated with the indicator, click the indicator Title to open the Indicator Details drawer and then click View Full Indicator.
From this page, you can view an overview of the indicator, which includes threat intelligence context for the indicator, and view the judgments, feeds, and external references associated with the indicator.
For more information, see the View Full Indicator help topic.