Judgments
The Judgments page provides the ability to search for stored public and private judgments that are deemed most relevant to incident response (for more information, see Intelligence). A judgment associates a disposition with an observable and is valid for an explicit span of time. Judgments can optionally be related to indicators, providing further insight as to why a specific disposition was associated with that observable.
You access this page by choosing Intelligence > Judgments in the navigation menu.
The Public judgments are displayed by default. Click the Private tab to display the list of private judgments.
Column Name |
Description |
---|---|
Observable |
The observable name based on the type (for example, the IP address or file hash). Click the (Pivot Menu) icon next to the observable and view the disposition, observable type, and verdicts associated with the observable, and perform additional tasks. See View Verdicts and Tasks in Pivot Menu for more information. Click the Observable to open the Judgment Details drawer and view additional information. |
Disposition |
The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted). |
Reason |
Why the observable disposition was determined. |
Type |
The type of observable (IP address, MD5 hash, SHA1 hash). |
Start/End Times |
The date and time the judgment was created and the date and time it expires (if expiration date is set). |
Source |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object. |
Severity |
The seriousness of the threat that the observable presents (Critical, High, Medium, Low, None). |
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white). |
From the Judgments page, you can perform the following tasks:
Use the Search text box in the upper portion of the page to narrow the display of judgments. Click the tooltip next to the text box to view the search criteria and examples of common searches. Only stored data is searchable; data sources outside of Cisco XDR are not searchable.
You can sort the Judgments table based on the start date. Click the (Sort) icon next to the Start/End Date column to sort by oldest or most recent date and time.
Click the (Pivot Menu) icon next to the observable in the judgment to open the Pivot menu and view the verdicts associated with the observable, investigate it, create a new judgment, or perform additional tasks by leveraging your integrated Cisco products.
You can create judgments for an observable from the Pivot menu.
Click the (Pivot Menu) icon next to the observable and choose Create Judgment. Complete the form and then click Create.
For more information, see the Create Judgment help topic.
Click the judgment name to open the Judgment Details drawer and view additional information, download the judgment in JSON format, and delete a private judgment.
In the upper panel, the severity level and observable name are displayed.
Expand the General panel in the Judgment Details drawer and view the following information:
Column Name |
Description |
---|---|
Start Time/End Time |
The date and time the judgment was created and the date and time it expires (if expiration date is set). |
Entity/Pivot Menu |
The (Pivot Menu) icon next to the observable indicates the disposition and shows the verdicts that determined the disposition for the judgment. You can perform additional tasks from the Pivot menu, such as investigate the observable to view all of the verdicts or create a new judgment for the observable. |
Disposition |
The intent or nature of an observable about whether it's malicious (untrusted), suspicious (questionable), unknown (neutral), common (favorable), or clean (trusted). |
Reason |
Why the observable disposition was determined. |
Source |
Where the CTIM entity (data) originated, for example who encoded the intel into a data object. Click the Source to go to that instance and view more information. |
Confidence |
The confidence level of the system that produced the data of its accuracy. |
Priority |
A value 0-100 that represents the importance of a judgment, where automated judgments use a priority of 90 or less, known good products within your organization use a priority of 95, and human judgments use a priority of 100. |
TLP |
Traffic Light Protocol designation that indicates how information should be shared (red, amber, green, or white). |
Expand the JSON panel in the Judgment Details drawer to view the judgment in JSON format.
If you have private judgments displayed, you have the ability to delete them in the Judgment Details drawer.
Click the judgment Observable to open the drawer and then click Delete Judgment.
For more information, see the Delete Private Judgment help topic.