Intelligence

The Cisco XDR Intelligence feature provides users the ability to search for stored threat intelligence from the public, as well as your private, threat intelligence stores based on the Cisco Threat Intelligence Model. It includes the judgments, indicators, events, and feeds based on the data that has been extracted from the continuous enrichment of our threat intelligence sources and deemed most relevant to incident response.

As defined by the Center for Internet Security, "cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured trade-craft techniques by those with substantive expertise and access to all-source information."

Judgments

Choose Intelligence in the navigation menu to view Judgments, Indicators, Events, and Feeds.

A judgment associates a disposition with a cyber observable, and is valid for an explicit timeframe. Judgments can optionally be related to indicators, providing further insight as to why a specific disposition was associated with that observable. Use this page to view public and private judgments.

For more information, see the Judgments help topic.

An indicator describes a pattern of behavior or a set of conditions which indicate malicious behavior. Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable (such as a domain or an IP address) are exhibiting can help an incident responder decide what to do next.

For more information, see the Indicators help topic.

An event is a record of the appearance of a cyber observable at a given date and time. Events can optionally be related to indicators, providing threat intelligence context about the observable.

For more information, see the Events help topic.

Feeds provide the ability to create custom threat intelligence and capture findings about threat investigations as lists of malicious, suspicious or clean observables (block lists, watch lists, and allowed lists). These lists can be saved and updated as data feeds. Security products, such as firewalls, can then be configured to listen on the Feed URLs and have policies around each type of feed.

See the Feeds Help topic for additional information.

Cisco XDR uses the Cisco Threat Intelligence Model (CTIM), with its primary focus being the decomposition, storage, and retrieval of vast quantities of existing threat intelligence and curate our own libraries of advanced threat behavioral indicators. These indicators, along with traditional research methods, are used to discover new types of malware, as well as new behaviors of known malware. This intelligence is then fed back into our ecosystem, which allows us to achieve continuous enrichment of our threat intelligence resources.

We then summarize our analysis of these observations and behaviors and store this data. The result is vast quantities raw, comprehensive summaries of our threat intelligence about a particular sample. CTIM allows us to decompose these massive, comprehensive analysis artifacts, and extract the details most relevant to incident response into a data model specifically designed for rapid storage, retrieval, and enrichment.

The Modeling Threat Intelligence in CTIM tutorial describes methods of modeling threat intelligence using the CTIM, including best practices for client developers.