Judgments

Column Name	Description
Observable	The observable name based on the type (for example, the IP address or file hash). Click the (Pivot Menu) icon next to the observable and view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See View Verdicts and Tasks in Pivot Menu for more information. Click the Observable to open the Judgment Details drawer and view additional information.
Disposition	The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted).
Reason	Why the observable disposition was determined.
Type	The type of observable (IP address, MD5 hash, SHA1 hash).
Start/End Times	The date and time the judgment was created and the date and time it expires (if expiration date is set).
Source	Where the CTIM entity (data) originated, for example who encoded the intel into a data object.
Severity	The seriousness of the threat that the observable presents (Critical, High, Medium, Low, None).
TLP	Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white).

Search and Sort Judgments

Use the Search text box in the upper portion of the page to narrow the display of judgments. Click the tooltip next to the text box to view the search criteria and examples of common searches. Only stored data is searchable; data sources outside of Cisco XDR are not searchable.

You can sort the Judgments table based on the start date. Click the (Sort) icon next to the Start/End Date column to sort by oldest or most recent date and time.

View Verdicts and Tasks in Pivot Menu

Click the (Pivot Menu) icon next to the observable in the judgment to open the Pivot menu and view the verdicts associated with the observable, investigate it, create a new judgment, or perform additional tasks by leveraging your integrated Cisco products.

Create Judgment

You can create judgments for an observable from the Pivot menu.

Click the (Pivot Menu) icon next to the observable and choose Create Judgment. Complete the form and then click Create.

For more information, see the Create Judgment help topic.

View Judgment Details

Click the judgment name to open the Judgment Details drawer and view additional information, download the judgment in JSON format, and delete a private judgment.

In the upper panel, the severity level and observable name are displayed.

General

Expand the General panel in the Judgment Details drawer and view the following information:

Column Name	Description
Start Time/End Time	The date and time the judgment was created and the date and time it expires (if expiration date is set).
Entity/Pivot Menu	The (Pivot Menu) icon next to the observable indicates the disposition and shows the verdicts that determined the disposition for the judgment. You can perform additional tasks from the Pivot menu, such as investigate the observable to view all of the verdicts or create a new judgment for the observable.
Disposition	The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted).
Reason	Why the observable disposition was determined.
Source	Where the CTIM entity (data) originated, for example who encoded the intel into a data object. Click the Source to go to that instance and view more information.
Confidence	The confidence level of the system that produced the data of its accuracy.
Priority	A value 0-100 that represents the importance of a judgment, where automated judgments use a priority of 90 or less, known good products within your organization use a priority of 95, and human judgments use a priority of 100.
TLP	Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white).