Judgments
The Judgments tab provides the ability to search for stored public and private judgments that are deemed most relevant to incident response (for more information, see Intelligence). A judgment associates a disposition with an observable and is valid for an explicit span of time. Judgments can optionally be related to indicators, providing further insight as to why a specific disposition was associated with that observable.
The Public judgments are displayed by default. Click Private in the upper right corner to display the list of private judgments.
Judgments Table Column Descriptions
|
Column Name |
Description |
|---|---|
|
Observable |
The observable name based on the type (for example, the IP address or file hash). Click the Click the Observable to open the Judgment Details drawer and view additional information. |
|
Disposition |
The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted). |
|
Reason |
Why the observable disposition was determined. |
|
Type |
The type of observable (IP address, MD5 hash, SHA1 hash). |
|
Start/End Times |
The date and time the judgment was created and the date and time it expires (if expiration date is set). |
|
Source |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object. |
|
Severity |
The seriousness of the threat that the observable presents (Critical, High, Medium, Low, None). |
|
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white). |
From the Judgments tab, you can perform the following tasks:
Search and Sort Judgments
Use the Search text box in the upper portion of the page to narrow the display of judgments. Click the tooltip next to the text box to view the search criteria and examples of common searches. Only stored data is searchable; data sources outside of Cisco XDR are not searchable.
You can sort the Judgments table based on the start date. Click the 
(Sort) icon next to the Start/End Date column to sort by oldest or most recent date and time.
View Verdicts and Tasks in Pivot Menu
Click the 
(Pivot Menu) icon next to the observable in the judgment to open the Pivot menu and view the verdicts associated with the observable, investigate it, create a new judgment, or perform additional tasks by leveraging your integrated Cisco products.
Create Private Judgment
You can create private judgments for an observable and associate the appropriate indicators from the Pivot menu. Once the judgment is created, it is displayed in the private judgments table.
Perform the following steps to create a private judgment:
-
Choose Intelligence in the navigation menu and click the Judgments tab.
-
Click the
(Pivot Menu) icon next to the observable and choose Create Judgment. -
Click Link Indicators to open the Link Indicators form.
-
Check the check box next to the indicators you want to include in the judgment and then click Select Indicators to add them to the judgment.
-
On the Create Judgment form, complete the following information:
Field
Description
Disposition
Required. Click the drop-down arrow and choose Unknown, Common, Malicious, Suspicious to indicate the disposition for the observable.
Expiration
Specify the period the judgment is valid. Enter or scroll to the number value, and then click the drop-down arrow and choose Days, Weeks, or Years.
TLP
Required. Click the drop-down arrow and choose the appropriate TLP designation to be assigned to the judgment (Red, Amber, Green, or White).
Reason
Enter a descriptive reason for creating a judgment for the observable.
-
Click Create. A color-coded message is displayed in the lower right corner indicating the new judgment has been created; the color indicates the disposition.
You can search for indicators and narrow the list by checking the check boxes for Confidence, Severity, and TLP.
View Judgment Details
Click the judgment name to open the Judgment Details drawer and view additional information, download the judgment in JSON format, and delete a private judgment.
In the upper panel, the severity level and observable name are displayed.
General
Expand the General panel in the Judgment Details drawer and view the following information:
|
Column Name |
Description |
|---|---|
|
Start Time/End Time |
The date and time the judgment was created and the date and time it expires (if expiration date is set). |
|
Observable |
The You can perform additional tasks from the Pivot menu, such as investigate the observable to view all of the verdicts or create a new judgment for the observable. |
|
Disposition |
The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted). |
|
Reason |
Why the observable disposition was determined. |
|
Source |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object. Click the Source to go to that instance and view more information. |
|
Confidence |
The confidence level of the system that produced the data of its accuracy. |
|
Priority |
A value 0-100 that represents the importance of a judgment, where automated judgments use a priority of 90 or less, known good products within your organization use a priority of 95, and human judgments use a priority of 100. |
|
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white). |
Show Judgment in JSON Format
Expand the JSON panel in the Judgment Details drawer to view the judgment in JSON format.
Delete Private Judgment
You can delete private judgments in the Judgment Details drawer.
-
Choose Intelligence in the navigation menu and click the Judgments tab.
-
Click Private in the upper right corner to display the list of private judgments.
-
Click the observable to open the Judgment Details drawer.
-
Click Delete judgment in the lower right corner of the drawer.
-
In the Delete Judgment confirmation dialog box, click Delete.